In early February, 2005, a nascent organization to promote VoIP security research and testing began to take shape...
at a meeting in Austin, TX. Initial participants in the group, which formed to "discover and reduce VoIP security risks" include many key vendors, service providers, various security interests, and academic institutions. Among them you'll find Alcatel, Avaya, Codenomicon, Columbia University, Ernst and Young's Guiliani Advanced Security Center, Insightix, NetCentrex, Qualys, SecureLogix, Siemens, Sourcefire, Southern Methodist University, Spirent, Symantec, the SANS Institute, Tenable Network Security, and TippingPoint.
By March 28, the organization, which calls itself the Voice over IP Security Alliance (VOIPSA), had elected a board of directors, announced two very interesting kick-off projects, and issued a call for additional participation from interested parties. At the same time, they reported that membership of its technical board of advisors had doubled to include more than 50 organizations. At the time, they reported their latest list of new members to include: Acme Packet; Agilent Technologies; Arbor Networks; Bell Canada; BorderWare Technologies; Cox Communications; Extreme Networks; Foundstone Professional Services, a division of McAfee, Inc.; InfraVAST; MCI; Miercom; Mitel; PricewaterhouseCoopers; Samsung Telecommunications America; SonicWALL; Sprint; Telcordia and VeriSign (for the full slate of directors and a complete list of members, see the site's Leadership page).
The composition of the board includes David Endler of TippingPoint (Chairman), Johnathan Zar of SonicWall (Secretary), Andrew Graydon of Borderware (Chair Security Requirements Committee), Ofir Arkin of Insightfix (Chair Security Research Committee) and Brian Tolly of Spirent Communications (Chair Testing Committee) so the leadership is well-stocked with security experts. The group's kick off projects also promise some interesting research and results:
- Threat Taxonomy: In biology a taxonomy is something like a family tree of known species, organized into various branches and sub-branches. VOIPSA's threat taxonomy will provide a glossary of terms organized into a structure that describes security threats and establishes a common lexicon for VOIPSA members to use. Since arguing over terms is a time-honored (and –consuming) tradition, getting this stuff straight (and keeping it that way) is a smart move.
- Security Requirements: This will involve development of user profiles and related security requirements to provide input on projects at VOIPSA related to best practices, testing, and communications with the outside world, divided up into the press, industry, and the general public.
Additional committees are forming to get projects going in community outreach, security requirements, security research, best practices, and testing.
As with other forms of information security, establishing ground rules, developing basic terminology and concepts, and deciding how and what to communicate to the world are all extremely important. I'm glad to see the organization off to a strong start, and planning to develop research materials and reports that will hopefully be illuminating, informative, and educational. It'll be interesting to watch and see what happens!
Ed Tittel is a regular contributor to numerous TechTarget Web sites, and the author of over 100 books on a wide range of computing subjects from markup languages to information security. He's also a contributing editor for Certification Magazine, and edits Que Publishing's Exam Cram 2 and Training Guide series of cert prep books. E-mail Ed at firstname.lastname@example.org.