Ari Takanen


Vulnerability management: not just for scanning known vulnerabilities

Proactively searching and fixing the unknown zero-day vulnerabilities saves time and money for everyone. And it is easy! Proactive testing is the most effective form of vulnerability management, because the earlier vulnerabilities are...

Security Testing: It Is About Coverage

While I was reviewing a whitepaper titled Fuzzing Challenges: Metrics and Coverage, I thought the topic actually would deserve a wider analysis from the perspective of penetration testing. All the same metrics seem to apply to a...

Vulnerability Disclosure: Is it Blackmail, Whitemail or Bluemail

Hackers (or security researchers) come with a range of rainbow colored hats. Some guys'n'gals are nice (the White Hats). They find and disclose problems in communication products using approved responsible disclosure models. Others...

What to Look in a Test Automation Product: Features or Benefits

Almost all the same benefits apply to almost any automation, whether it is vulnerability testing by security experts, integration testing by large enterprises, load testing by tier-1 carriers, or acceptance tests of outsourced...

Visualizing Security - The Challenge of 2009

I was browsing the Internet, just like any normal day, catching the news in the world on security. A recent release by Clarified Networks caught my eye: LogsterLogster itself is not really interesting to me personally, as using such...

Fuzzing and Product Security

Fuzzing is the only proactive security assessment technique for analyzing closed-source software components, and I am a strong supporter of using fuzzing in the software development life-cycle. Earlier, in my blog entry titled...

Fuzzing Is Still Widely Unknown

If you have read my blog here before, you might know me from the PROTOS project, and maybe as an author on VoIP security. PROTOS was fun, but it is really far away from real fuzzing. VoIP was definitely fun to break, but there are so...

Good VoIP Deployment Guidelines (Do Not Exist?)

Knowledge on security issues is a two-edged sword. Knowing enough of security will empower you to make right choices. But knowing too much can make you paranoid. So what, if all VoIP systems can be broken into? Or can they? Or do you...

VoIP Still Not Ready For Carrier-Grade Networks

As I've mentioned in an earlier post, VoIP is a fascinating topic for security researchers. It comes with a number of very interesting interfaces and protocols for both signaling and media. It is loaded with funny intermediary...

Reason Behind Vulnerabilities

Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically created by the fact that people tend to drift from good development...

(Is There) Motivation for VoIP Fuzzing

We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use...

Load More