[VOIPSEC] Who the heck needs security anyway...

Ari Takanen voipsa at codenomicon.com
Mon Apr 19 14:52:39 CDT 2010 

Hello J,

On Mon, Apr 19, 2010 at 02:38:45PM -0400, J. Oquendo wrote:
> Personally, I feel that those within the VoIP arena are willing to
> listen to the "hat" wearers and perhaps that's because the vast
> majority of those involved with VoIP from my point of view have more
> of a technical background. VoIP to me was one of those "heaped on
> you" industries where most had to learn it on the fly. I'm sure in
> other domains, there were similar advances however VoIP is still
> young as opposed to those other domains. In other areas there are
> far too many Praetorian Guards unwilling to investigate/test/listen.

VoIP industry is really business driven. If one of the requirements in
building SIP enabled solutions is openness, and Internet connectivity,
then security is a natural requirement. But I think the drivers (and
differences) in VoIP industry are not the technical aspects (skills,
tools) at all. Key drivers are the requirements defined by
customers. If you cannot sell a bad quality product, you are forced to
evolve. That has not happened yet in any other industry.

Compare that to e.g. the consumer devices. We released test reports on
WiFi access points in early 2008 (http://www.codenomicon.com/labs/). 
Everything failed miserably. This year we did the same for
browsers. Again everything failed in matter of minutes of fuzzing. But
nobody cares, because there is no requirement to do proactive
security. The same skills are there definitely.

"Come and check my security" as the last thing before product release,
and "Building security in" are two completely different approaches. In
the first one, pentesters come in and "show cool stuff". Year, after
year, after year again, and nobody learns a thing. In the latter
approach, product security professionals come in and "teach cool
stuff". This happens once or twice, and then they do not need you
anymore.

Sorry everyone if the rest of the email is a bit too promotional.

On Mon, Apr 19, 2010 at 02:38:45PM -0400, J. Oquendo wrote:
> Now only if you Codenomicon guys let me freely play with your
> fuzzers for the sake of research!

Freely, as in money, or in access? ;)

Yes, we have had quite strict access to our tools, but this year they
are commercially (read "affordable" not "free") available also for all
pentest consultants. Also, first free (as in no cost) tool since
PROTOS was launched just earlier this year (FTP unfortunately, not
SIP). But I am sure more will follow.

Several security consultants and researchers have been also given
access to our tools in the past. If you look at the DNS tests by OUSPG
carefully, you can see that they are running Codenomicon engine. Many
of our research users are quite celebrities even, unfortunately they
have not really publicly said how they find their zero days. ;)

Our tests have also been available for the open source projects, and a
lot of them have been tested and fixed. Please contact us if you think
your project also needs testing.

You are all welcome to make a difference!

Best regards,

/Ari

-- 
Check out latest news from Codenomicon: http://www.codenomicon.com/news/
Check out my book on fuzzing: http://www.fuzz-test.com/

-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                   Codenomicon Ltd.
ari.takanen at codenomicon.com   tel: +358-40 50 67678
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list