Developers should put more efforts into securing communications platform against the loss of data from users and a businessβs customers, according to industry figures.
Recently, there have been a number of reports about communications platforms having significant security vulnerabilities associated with storage or access to user data. Among the platforms affected include Slack, WhatsApp, Telegram, Instagram, SnapChat, Zoom and others.
SymantecΒ exposed a vulnerability associated with the secure messaging apps WhatsApp and Telegram, on the heels of news around Zoom with a severe security vulnerability.
The bugs in WhatsApp and Telegram stem from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the appsβ chat user interface (UI) for users to consume.
In an interview with UC Today, Chris Howell, CTO and co-founder of end-to-end encryption platform, Wickr, said that such platforms re years in development and millions of lines of code. All this code requires Β many developers, development managers, product teams, QA teams, infrastructure teams, support teams, processes and procedures to maintain them.
It is in that code where the security issues crop up.
βSecurity bugs generally bring have significant user impact in terms of loss of privacy, etc, which also makes them more βlucrativeβ for bad actors to find,β he said.
βItβs harder to test for security bugs, too, which means absent specific skill and attention, the quality of security testing on the whole is probably lower vs. functional testing at most organisationsβ
He said that his company has spent a lot of time building a security test program, which has many facets, βfrom security unit testing by developers to white box penetration testing by third parties, both formally engaged and via bug bounty programs.Β It takes that kind of broad base effortβ.
Howell adds that testing that is part of the development processes is probably the most effective, but itβs also hard to measure and almost always the first thing that gets cheated when deadlines loom.Β βThen, when bugs are found in production, itβs typically QA testing (the last round of testing) thatβs scrutinised, which isnβt necessarily the best place to point the finger,β he said.
Lifesizeβs CEO Craig Malloy, told UC Today that security is too often an afterthought in video communication:
βWhile the user experience is undeniably important, it means absolutely nothing if customers canβt trust that their critical business communications and sensitive data are protected in the most responsible, secure ways possibleβ
βThe Zoom exploit method reported further reinforces why sacrificing security for convenience is made worse by the fact that it still does not encrypt video calls by default for the vast majority of its customers,β he said.
He added that building comms services upon secure open standards like WebRTC, ensures βenterprise-grade security controls are turned on by defaultβ and business is conducted βon a foundation of transparency and trustβ with customers.
Β
