Network security is expected to be an almost $200 Billion dollar industry by the year 2020. In a world where everything is connected, securing everything can be big business. There are thousands of security researchers working daily to find the next big exploit. We have seen some huge exploits in the last few years such as “Heartbleed”, “Shellshock” and “Poodle” from exploited code that has been around for years.
A blessing and sometimes a curse in open source software is that no matter how vigilant you are if you slip once someone will find it. We’ve always taken security very seriously and have employed many approaches to ensuring FreePBX is secure.
FreePBX goes through continuous human and automated scanning looking for various attack vectors. From a human standpoint, we utilize internal developers who are passionate about security in both our software and the software they use. They do code reviews and code audits to ensure new code is up to par. We also work with independent security researchers who review our entire code base looking for things that may have been in the code for years. We complement the human audits with automated tools including the RIPS scanner from ripstech.com.
RIPS, a static code analysis tool, does what would be impossible for a human to do. It looks at all 400,000+ lines of FreePBX code and does automated checks for Cross-Site Scripting, Code Execution, Command Execution and many other exploitable vectors. From that, it generates a report detailing potential vulnerabilities that may lie in our codebase. That seems like quite a lot, but it’s really only the start with RIPS which then details how to patch the vulnerability to minimize the risk moving forward. The reason we bring this up is because the RIPS utility has found many code issues that we may not have found in a manual review of the FreePBX code base and has helped us to strengthen the security of FreePBX.
With these approaches, we aim to make your PBX secure so it’s one less issue you have to worry about.
“If you’re the smartest one in the room, you’re in the wrong room.” – Richard Tirendi
It is ultimately a battle of knowledge and someone out there is always smarter than you. This is why some vulnerabilities sit dormant for a decade (Such as Heartbleed). It took that long for someone to come along and see the code in a different way. When they ultimately release the exploit it often seems obvious.
We always welcome fresh eyes to review our code. Whether human or through machine automation we are happy to work with anyone who wants to make the world a more secure place.
Our policy on responsible reporting can be seen at http://wiki.freepbx.org/display/FOP/Security+Reporting and we appreciate all the security researchers that use their time to make the world more secure.
A special thanks to the https://www.ripstech.com team for analyzing our code and helping make FreePBX a more secure project.