[VOIPSEC] Any pointers to "audit methodology" for analyzing VoIP systems?

[Dan York]

VOIPSEC readers,

As I just posted here:

http://voipsa.org/blog/2007/12/12/pointers-to-any-audit-methodology-for-forensic-analysis-of-voip-systems/

I was recently asked if I knew of any efforts to define a methodology for auditing a VoIP system, especially from a forensic point of view.

For instance, I am aware of the OWASP project for testing web applications ( http://www.owasp.org/ ) which has created the "Testing Guide" that basically outlines a methodology for testing web applications:

http://www.owasp.org/index.php/Category:OWASP_Testing_Project

I don't know that this is necessarily the type of thing my questioner was looking for, but it is one approach out there.

Is anyone aware of similar types of documents for VOIP systems?  (I'm not.)

If there aren't any out there, this does seem to me to be the type of document that an organization like VOIPSA could create.  We'd just need someone to lead that effort.  (And it couldn't be me because, well, I'm just a wee bit behind on launching the Best Practices project, eh?)

Thanks in advance for any info,
Dan

-- 
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com