Getting offensive: a different approach to RTC security. Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security GmbH.
Sandro Gauci leads operations and research at Enable Security. To this community he is known as the original developer of SIPVicious OSS, the SIP security toolset. At Enable Security, he helps develop offensive security tools in the RTC space and provides penetration testing services.
Real-time communications security: we all need it but it means different things to different people and organizations. As a result, security is bolted on to other solutions as if it were a feature or a product that one can buy.
In his session, Sandro is here to tell you why this approach doesn’t work and how defensive security needs the offensive side of security to have the desired effect. There will be practical examples of how a purely defensive approach to RTC security fails, and other sources of entertainment will be included.
Sandro provides a great review of the current status of RTC security, with some very revealing stories from the trenches across VoIP and WebRTC. His comments on STIR/SHAKEN increasing the attack surface because of its complexity makes sense, especially as its designed by committee and while adopting many of the latest techniques lacks the battle testing from the trenches.
His core recommendation is using threat modelling and offensive security (think evil) together to deliver better protection across CIA (Confidentiality, Integrity, and Availability). As penetration testing does not mean your infrastructure is secure. His recommendations show we’ve got much work to do in this space. RTC Security must be part of every TADSummit, as it deserves much more attention.
Thank you, Sandro, for an enlightening presentation, with some excellent demonstrations. I agree we need something like OWASP (Open Web Application Security Project), an Open RTC Security Project (ORTSec) – not as elegant a name as OWASP though. I think this can address several of the issues you raise on testing methods, playground, and sharing.
Communications vendors have historically been large and silo’ed, but open source telecom software changed that and revolutionized communications. Perhaps given its importance, the time is right to do something collaborative in RTC Security. But how do we make it happen?
Hi Alan – thanks for the comments.
How to make it happen – I hope to have some discussions on that very topic. It seems to me that more people need to be involved. And having this iterative approach of offensive security informing defensive security and vice-versa, I think, would be a way to grow.
On choosing a name: indeed, we might need work on the name although surprisingly it Open RTC Security Project does not sound too terrible 🙂