Profile

Ari Takanen

Ari Takanen

Follow this member

Member since: July 2008

Bio: Ari Takanen is founder and CTO of Codenomicon (www.codenomicon.com). Since 1998, Ari has focused on information security issues in next-generation networks and other security critical environments. He began this work at Oulu University Secure Programming Group (OUSPG) as a contributing member to PROTOS research. His current company, Codenomicon Ltd. provides commercial solutions for security testing of communication devices and networks. Ari has been speaking at numerous security and testing conferences, and has been invited to speak at leading universities and international corporations.

Areas of Interest:

Activity

  • Ari Takanen Ari Takanen wrote IPv6 Day: Time to think about security testing for IPv6
    Today, on Wednesday June 8th, we celebrate the World IPv6 Day. Although IPv6 itself is a big step towards more secure Internet, the transition from IPv4 to IPv6 is bound to also create new security, quality and interoperability challenges. IPv6 is not thoroughly tested because IPv6 has not been widely adapted. Read more to find out what you should do to prepare, or rather what you should have done already.

    35 weeks 6 days ago

  • Ari Takanen Ari Takanen wrote Security Testing: It Is About Coverage

    While I was reviewing a whitepaper titled Fuzzing Challenges: Metrics and Coverage, I thought the topic actually would deserve a wider analysis from the perspective of penetration testing. All the same metrics seem to apply to a good technical pentest. Well, most penetration testers would anyways pull a fuzz-tool of their choice from their toolkit when coming to do the audit.

    2 years 1 week ago

  • Ari Takanen Ari Takanen wrote Vulnerability Disclosure: Is it Blackmail, Whitemail or Bluemail
    Hackers (or security researchers) come with a range of rainbow colored hats. Some guys'n'gals are nice (the White Hats). They find and disclose problems in …

    2 years 29 weeks ago

  • Ari Takanen Ari Takanen wrote What to Look in a Test Automation Product: Features or Benefits

    Almost all the same benefits apply to almost any automation, whether it is vulnerability testing by security experts, integration testing by large enterprises, load testing by tier-1 carriers, or acceptance tests of outsourced development. I am not sure if this is useful for you, but if it is: Please give a thumbs-up and I will know that at least some people have troubles with automation.

    2 years 29 weeks ago

  • Ari Takanen Ari Takanen wrote Visualizing Security - The Challenge of 2009
    I was browsing the Internet, just like any normal day, catching the news in the world on security. A recent release by Clarified Networks caught my eye: …

    2 years 38 weeks ago

  • Ari Takanen Ari Takanen wrote Fuzzing and Product Security
    Fuzzing is the only proactive security assessment technique for analyzing closed-source software components, and I am a strong supporter of using fuzzing in …

    2 years 47 weeks ago

  • Ari Takanen Ari Takanen wrote Fuzzing Is Still Widely Unknown
    If you have read my blog here before, you might know me from the PROTOS project, and maybe as an author on VoIP security. PROTOS was fun, but it is really far …

    3 years 3 weeks ago

  • Ari Takanen Ari Takanen wrote Good VoIP Deployment Guidelines (Do Not Exist?)
    Knowledge on security issues is a two-edged sword. Knowing enough of security will empower you to make right choices. But knowing too much can make you …

    3 years 16 weeks ago

  • Ari Takanen Ari Takanen wrote VoIP Still Not Ready For Carrier-Grade Networks
    As I've mentioned in an earlier post, VoIP is a fascinating topic for security researchers. It comes with a number of very interesting interfaces and protocols …

    3 years 19 weeks ago

  • Ari Takanen Ari Takanen wrote Reason Behind Vulnerabilities
    Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically …

    3 years 22 weeks ago

  • Ari Takanen Ari Takanen wrote (Is There) Motivation for VoIP Fuzzing
    We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their …

    3 years 23 weeks ago

  • Ari Takanen Ari Takanen wrote VoIP security auditing is becoming more and more complex ... Not!
    I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security …

    3 years 26 weeks ago

  • Ari Takanen Ari Takanen wrote Greatest Challenge in VoIP Security
    The greatest challenge in VoIP security is that there are very few good example case studies available. There are some very good VoIP deployments. But try to …

    3 years 30 weeks ago

Friends' Activity

Follow other ITworld members or sign in with your Facebook account in order to view your friends' activity.

Comments

Ari Takanen's Comments (4)

  • Commented on Visualizing Security - The Challenge of 2009

    If you are interested in more links to visualization resources, check out the collection maintained by Clarified:https://www.clarifiednetworks.com/Visualizations

    3 years ago

  • Commented on Visualizing Security - The Challenge of 2009

    A quick look at secviz.org revealed a few cool looking things. Thanks for the link! I am sure the readers will appreciate that.Personally, my interest in visualizations is in a completely different area. But it would be great to meet and discuss sometime. If interested in discussing more on this topic, just email me at: ari.takanen@codenomicon.com

    3 years ago

  • Commented on (Is There) Motivation for VoIP Fuzzing

    Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).

    3 years ago

  • Commented on VoIP security auditing is becoming more and more complex ... Not!

    Thank you for the definitions for each of these. Unfortunately still today, there are as many definitions as there are security consultants. As my background is in fuzzing, I do not really agree with these definitions. If we do an assessment, we run tools (our own fuzzers, and other available fuzzers and non-fuzzers from other companies) to mostly find unknown vulnerabilities. We can find known issues also, but that is not the purpose of the assessment. This in most cases is an "audit" (or assessment, or test, or review) against a carefully designed test specification, sometimes dictated by the industry and in almost every case pre-run in similar form by an another party. Often this is part of a certification process. And yes, the tools are very similar to what a hacker would use in what you call "penetration test".

    3 years ago

Ask a Question