case study / cloud communication & collaboration / Unified Communications And Collaboration Products

Unified Communications And Collaboration Products

Lohika provided recommendations to help our client make their offering more secure.

Challenge

UC software (UCS) is a possible cyber-attack surface as it operates on confidential and personal data.  Our client is a security-conscious company that endeavors to prevent vulnerabilities leaking in their delivery process. Our client uses a host of stringent measures, such as secure development practices, internal security procedures, and thorough external audits. The client was looking for a reliable partner to perform a comprehensive security assessment of their UCS offerings.

Overview

Our client has a strong portfolio of UC and collaboration products that thousands of companies and institutions across the globe rely on. Through secure voice, video and content sharing, the products unleash the power of human collaboration to help their users increase productivity, accelerate time-to-market, provide better services and even save lives.

Solution

The client decided to engage Lohika to perform the security assessment on their UCS code base. After the UCS code base analysis, the Lohika team prepared a security test plan and executed the exploit tests in a carefully planned test environment. We prepared a comprehensive report detailing the work performed, vulnerabilities discovered and recommendations.

Adopting a multipronged threat evaluation and vulnerability assessment approach, the Lohika security experts assessed potential vulnerabilities against three main categories: confidentiality, integrity, and availability. The exercise covered all major aspects of the products’ functional areas, such as real-time communication (involving SIP/H.323 and RTP/RTCP), local data storage, data flow through the network and administration. 

To start with, the Lohika security team did a security architecture and threat modeling review. Later, the team employed source code analyzers such as Klocwork, Cppcheck and FlawFinder, and binary analyzers such as Black Duck and binwalk. The reports from these tools were analyzed, and a thorough manual security-focused code review was performed. Subsequently, the team did semi-manual security testing using industry-standard security tools such as Metasploit framework and PROTOS test suite. The team then prepared custom tests for exploiting suspicious areas and did manual penetration testing.The team also analyzed network activity using network scanners and packet sniffers. 

Finally, the Lohika team completed the loop by analyzing the gaps in the client’s development practices and provided detailed guidelines and recommendations.  Lohika’s recommendations were based on industry best practices in cybersecurity (e.g., MISRA C/C++, CERT) encompassing secure architecture and coding practices and implementation of Secure SDLC (S-SDLC).

Results

As a result of a comprehensive and multipronged vulnerability assessment and security testing, Lohika discovered a number of vulnerabilities in the client’s offerings related to the implementation of communication, storage, configuration, and peripherals. The issues discovered by the team were scored using the CVSSv3 standards-based method, with details of how and why each issue can be exploited. The team also provided recommendations to fix the issues.

We are proud to say that the client acknowledged our work and incorporated findings and recommendations provided by Lohika in their immediate release backlog to expedite closing the security gaps.

Talk To Us

Let’s talk about how Lohika can help you scale your engineering organization.