[VOIPSEC] [SearchSecurity.com] Better VoIP training needed, SANS director says
Vijay K. Gurbani
vkg at alcatel-lucent.com
Fri Dec 8 16:43:48 GMT 2006
Geoff Devine wrote:
> In my opinion, 90% of developers are plenty capable of writing decent
> VoIP software.
Let's put it this way: every developer is not capable of writing
90% decent VoIP software. The reason is that the skills required
to write decent VoIP software are very formidable, and much varied.
Let's assume that the definition of "decent VoIP software" is
software that uses optimal code optimization techniques;
addresses scalability and reliability concerns; attends to
the real-time nature of the protocols involved; and of course, is
extremely secure, both from a cryptographic point of view and
the systems point of view.
It is extremely hard, if not impossible, to find all these skills
concentrated in one developer.
So one of two things will happen. First, developers with core
competency in one area will write the layer appropriate to their
skill set. This is great in theory, but if there is little,
or no communication between the developer of that layer and the
user of that layer, then in practice this paradigm breaks down
(well known pattern in software engineering anyway).
Or, you can harness the Open Source development techniques
across the (big-I) Internet or within your own enterprise to
leverage the "million eyeballs" effect. We have used this
technique with successful results in the area of VoIP signaling
 Gurbani, V.K., Garvert, A., and Herbsleb, J., "A Case Study of a
Corporate Open Source Development Model," Proceedings of the 28th ACM
International Conference on Software Engineering (ICSE 2006), pp.
472-481, May 20-28, 2006, Shanghai, China.
 Gurbani, V.K., Garvert, A., and Herbsleb, J., "A Case Study of Open
Source Tools and Practices in a Commercial Setting," Proceedings of the
5th ACM Workshop on Open Source Software Engineering, pp. 24-29, May 17,
2005, St. Louis, USA.
That said, I could not agree more with other excellent observations
by Mr. Devine, which are worth repeating:
> The real problem is that commercial realities intrude. Projects are
> end date scheduled with insufficient resources and products go to
> market before they are fully baked. The PSTN was created with the
> infinite resources of monopoly telephone companies and
> government-sponsored corporations. SIP is an experimental protocol
> that is still evolving. In the "good old days", there would have
> been a 10 year pause as standards bodies staffed by the monopolies
> worked out the issues. Today, we're getting just-in-time engineering
> with all the problems associated with early deployment of emerging
> technologies that use experimental protocols. Security typically
> goes last since there is no profit in security.
> I'm not convinced that better training of VoIP system administrators
> solves the problem. In my universe, the biggest problem I see is
> that internet network administrators don't have a clue that they're
> now running a five 9's lifeline application on their data networks.
> The PSTN had a century to evolve the methods and procedures to keep
> their network up and stable. Data networks have not had that
> requirement until very recently and we need a culture shift.
> Internet network administrators really are VoIP system administrators
> since they inherit the requirements of the VoIP application that is
> running on their networks.
Vijay K. Gurbani, Ph.D. Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
More information about the Voipsec