[asterisk-users] Security Architecture or Security Evaluations Docs?

[Jeffrey Walton]

Thanks Patrick,

> Assuming "security+evaluation" refers to Common Criteria,
Common Criteria is one, but not necessarily the only type of security
evaluation. Often times organizations with resources will perform an
evaluation against its own standards before adopting or accepting a
system. I was hoping the project had an evaluation from past reviews
it could share.

> Re "asterisk+architecture", Asterisk Security related best practices are
> described here:
> http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
Ah, OK thanks.

Is there anything that includes the development process? I'm
interested in the secure development items and testing.

Jeff

On Sat, Jul 26, 2014 at 9:18 AM, Patrick Laimbock <patrick at laimbock.com> wrote:
> On 26-07-14 14:23, Jeffrey Walton wrote:
>>
>> Does anyone know of Security Architecture or Security Evaluations
>> documents that I could read?
>>
>> Searching is turning up no hits. For example,
>> http://www.google.com/#q=security+evaluation+site:asterisk.org and
>> http://www.google.com/#q=security+architecture+site:asterisk.org.
>
>
> Assuming "security+evaluation" refers to Common Criteria, I'm not aware of
> any Common Criteria initiatives in relation to Asterisk (nor FreeSWITCH,
> OpenSIPS, Kamailio, Yate or any other Open Source VoIP project I'm aware
> of). Asterisk is a toolbox with many flexible building blocks and not a
> product like Cisco CallManager with pre-defined features set in stone. As
> such it doesn't really make sense to get Asterisk certified, if possible at
> all. It would be like trying to certify C or Python. If EALx certification
> is your requirement then have a look at the CallManager as iirc it's EAL1
> certified.
>
> Re "asterisk+architecture", Asterisk Security related best practices are
> described here:
> http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt
>