[VOIPSEC] Who the heck needs security anyway...

Ari Takanen voipsa at codenomicon.com
Mon Apr 19 19:06:28 BST 2010 

Sooner? ;)

The VoIP industry should be proud of itself! Already in 2002, majority
of VoIP vendors had some type systematic security testing (smart
fuzzing) in place, whereas rest of the communication domains are still
struggling to convince their management of the benefits of proactive
security testing. Check out e.g. PROTOS tool release from 2002/2003:

https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip

Perhaps with the only exception of SNMP testing, VoIP is the only
industry where multi-vendor vulnerability handling spawned an industry
of its own (with us at Codenomicon perhaps only two years ahead of the
rest):

http://www.cert.org/advisories/CA-2003-06.html

Also in no other industry have you had industry bodies defining
protocol misuse cases (and having annual meetings around them) since
2003. Even the industrial automation industry are only now trying to
work anything similar. Check out e.g.:

http://tools.ietf.org/html/draft-ietf-sipping-torture-tests-00

and

http://www.ietf.org/rfc/rfc4475.txt

The VOIP community is YEARS ahead of the rest of the software
community. Every single VoIP vendor I know does some sort of fuzzing,
with majority of them use at least two commercial solutions in
addition to their internally built test harnesses. Most of them have
had continuous security programmes since 2003. 

Also if you look at the service providers in VoIP, you see that most
end-users do fuzzing. In most VoIP operators that I have worked with,
it is a natural part of procurement process. They just refuse to buy
bad quality software. Security is a customer requirement, and
therefore _key part of the business_.

I have been looking at the security testing industry for quite some
time, and there are very few other market domains where security
testing is at the same maturity level. In VoIP, security equals
quality. Security is part of software development. Security is not
only about features and functionality, it is about systematic
elimination of bugs. It is about software reliability and
dependability.

All the rest of the industries still think "hacking" needs skills and
right attitude. VoIP engineers understand that it is just about tools,
processes and techniques.

Sorry for the rant, I suppose something snapped when I read the word
"sooner". ;)

Best regards,

/Ari

-- 
Check out latest news from Codenomicon: http://www.codenomicon.com/news/
Check out my book on fuzzing: http://www.fuzz-test.com/

-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                   Codenomicon Ltd.
ari.takanen at codenomicon.com   tel: +358-40 50 67678
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

On Mon, Apr 19, 2010 at 01:01:12PM -0400, Alex Eckelberry wrote:
> This is a very refreshing dialog and one which I wish a lot of people had had a lot sooner.
> 
> -----Original Message-----
> From: voipsec-bounces at voipsa.org <voipsec-bounces at voipsa.org>
> To: voipsec at voipsa.org <voipsec at voipsa.org>
> Sent: Mon Apr 19 12:51:54 2010
> Subject: [VOIPSEC] Who the heck needs security anyway...
> 
> Carlos,
>  
> I agree.  However in my humble opinion, I am seeing a couple of
> improvements with this "old school" mentality on security versus
> business requirements. Some of the driving factors are the young,
> talented "hacker-minded" security professionals getting into the ranks
> of the corporate world.  I guess some of the credit goes to the new (and
> exciting) school of thought out there. (Offensive Security, EC-Council,
> Wireshark University, etc.)They definitely help in molding IT
> person/network guys who are just used to being "Sys Admins" and "Cisco
> Pros" to be embed in their way of thinking the "hacker mentality".
>  
> I help contribute Evil User Stories in an Agile Software environment.
> And yes, the "business" or functional requirements always takes
> precedence, but when I chip in and discuss to the group the latest
> trends in exploitation and vulnerabilities, and demonstrate it to them
> on how easy it can be accomplished by a script kiddie like me, the
> senior guys are listening. Because they know, that we, the younger
> generation, are more into it and they respect us for that.  We may not
> have their vast amount of experience but what we offer to the table is
> our energy and passion to learn how to penetrate applications and learn
> from that so we know how to protect it.
>  
> It's up to us to convince and help the senior guys listen that
> Hollywood-style security incidents does happen, in and out the corporate
> world.
>  
> Thanks.
> Ron
>  
>  
> ----
> They are right. The problem is that we rarely have anyone who
> understands both security and business needs to put together sensible
> rules. The geeks go with security at all costs, and the business people
> find ways around it because it's too onerous. 
>  
> -- 
> Sent from my iPad
>  
> On Apr 14, 2010, at 11:41 AM, "J. Oquendo" <sil at infiltrated.net
> <http://voipsa.org/mailman/listinfo/voipsec_voipsa.org> > wrote:
>  
> > 
> > Not VoIP related per-se ...
> > 
> >
> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_no
> t_change_your_password/

More information about the Voipsec mailing list