testing

RSS

testing Blogs

  • Fuzzing Is Still Widely Unknown

    Posted January 19, 2009 - 10:18 am

    Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing. But most (even security specialists) still seem to misunderstand what fuzzing really is about. Enter the world of fuzzing!

  • Testing - the pain, the power, the money

    Posted December 29, 2008 - 12:39 pm

    The first big dirty secret of coding is that to do it well, you need to spend as much time coding around your core code as you spend, coding the core code itself.

  • VoIP Still Not Ready For Carrier-Grade Networks

    Posted October 2, 2008 - 1:22 pm

    After a quick tour of some Really Talented Groups dedicated to fuzzing research, I noticed three things: 1) Most teams are focused on fuzzing VoIP 2) Most if not all VoIP devices still break with fuzzing 3) Most VoIP vendors still do not get it. The tour continues...

  • Reason Behind Vulnerabilities

    Posted September 8, 2008 - 3:54 pm

    Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically created by the fact that people tend to drift from good development principles into practices that are just simply Fun. The engineers among us know that software development can be enormously interesting, something you would happily even do in your leisure time. But can fun be converted into reliable software?

  • (Is There) Motivation for VoIP Fuzzing

    Posted September 4, 2008 - 3:06 am

    What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.

  • VoIP security auditing is becoming more and more complex ... Not!

    Posted August 15, 2008 - 7:14 am

    I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security people are still stuck to auditing practices from 1990s. When asked to do a penetration test, a consultant often is only looking at past issues that can be detected using various vulnerability scanners. Very few of them know that vulnerability scanners have extremely bad coverage of vulnerabilities in VoIP solutions. And even if the tools did know VoIP, who really cares about past issues that might have been relevant several years ago.
Ask a Question