Getting offensive: a different approach to RTC security. Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security GmbH.
Sandro Gauci leads operations and research at Enable Security. To this community he is known as the original developer of SIPVicious OSS, the SIP security toolset. At Enable Security, he helps develop offensive security tools in the RTC space and provides penetration testing services.
Real-time communications security: we all need it but it means different things to different people and organizations. As a result, security is bolted on to other solutions as if it were a feature or a product that one can buy.
In his session, Sandro is here to tell you why this approach doesn’t work and how defensive security needs the offensive side of security to have the desired effect. There will be practical examples of how a purely defensive approach to RTC security fails, and other sources of entertainment will be included.
Sandro provides a great review of the current status of RTC security, with some very revealing stories from the trenches across VoIP and WebRTC. His comments on STIR/SHAKEN increasing the attack surface because of its complexity makes sense, especially as its designed by committee and while adopting many of the latest techniques lacks the battle testing from the trenches.
His core recommendation is using threat modelling and offensive security (think evil) together to deliver better protection across CIA (Confidentiality, Integrity, and Availability). As penetration testing does not mean your infrastructure is secure. His recommendations show we’ve got much work to do in this space. RTC Security must be part of every TADSummit, as it deserves much more attention.