Securing the data and systems associated with lawful intelligence platforms is critical to the mission of protecting society while safeguarding privacy. Modern SecDevOps best practices guide the full software development lifecycle for SS8 platform features and capabilities, from the initial requirements stage, through development, deployment, and production. Comprehensive multilayer hardening is particularly vital as the software’s inherent complexity, with thousands of connections into the mobile network, has been amplified by its deconstruction into cloud-native microservices.
Security is a core engineering requirement for the SS8 platform, governed by strict sets of requirements at every stage, including ongoing automated scans of code, builds, packaging, and network traffic. Continuous security testing and compliance checks are built into the lifecycle to identify potential vulnerabilities, from the code out to the network communication level, guided in part by SS8’s ISO 27001 accreditation. Enhancements from industry security frameworks further enhance SecDevOps processes to enhance the protections built into the platform.
The SS8 platform itself is protected by use of hardened custom Linux on an isolated network that is not connected directly to the public internet. Operationally, it is secured up to or beyond 3GPP recommendations with features such as Hashicorp Vault for password protection and end-to-end encryption of data in transit and at rest. The software incorporates data access controls with granular role-based permissions to help minimize its exposure to threats. It also implements a tamper-resistant audit trail based on logs of who accessed specific data and when.
Code Security Analysis and Hardening
The millions of lines of constantly updated code in modern software applications creates tremendous security complexity. Static code analysis examines sources early and often throughout the development process, helping identify common coding errors, vulnerabilities, and non-compliance with best practices. Automated regression testing identifies new defects that are introduced by changes and their interactions with other software components.
These processes help surface issues such as buffer overflows, SQL injections, and other security weaknesses so they can be addressed as soon as possible to reduce their impacts. SS8 development teams also integrate static analysis tools into the continuous integration/continuous deployment (CI/CD) development pipeline. That integration allows code to be automatically analyzed on an ongoing basis, including required scanning before commitment, for continuous improvement to code quality and security.
The elastic capacity of cloud-based test infrastructure helps SS8 scale testing and analysis, including with security assessment under simulated real-world conditions with large test workloads. SecDevOps models potentially also draw on broad access to security tools and frameworks provided by cloud-based testing.
Vulnerability Assessment and Remediation
Securing communications has become exponentially more complex as monolithic applications have been replaced by distributed microservices. The SS8 SecDevOps orientation addresses that complexity in part by engineering vulnerability assessment and security in a multilayer model. That is, application-layer security is augmented by restrictions and scanning applied at successive layers, including individual containers, Kubernetes clusters, and at the node and operating system levels, as well as the surrounding network.
In addition to secure code development and testing, the platform enhances application-layer security by locking down traffic paths. Analysis of traffic requirements informs network port scanning so that the application can close all but the minimally required logical ports. That simplification reduces the attack surface and simplifies administration and enforcement of security policy by network operators. SS8 further protects data transmission with the 3GPP-recommended implementation of transport layer security (TLS) 1.3 and strong ciphers across the environment.
Vulnerability assessment of the SS8 platform extends to testing and hardening activities in collaboration with customers in their deployment environments, according to their internal standards. To mitigate security dependencies on the operating system and open source components, SS8 orchestrates patch updates and management, including from third-party sources.
Penetration Testing and Risk Mitigation
Assessing the platform’s security posture includes active measures such as simulated cyberattacks using penetration testing. SS8 applies penetration testing internally to prevent persistent gaps and vulnerabilities in the solution stack’s security posture, including dynamic analysis of the code in a running state to assess its behavior in real time. The process generates reports of potential vulnerabilities that the development team can then address.
Customers may provide one or more additional penetration tools and test suites to expand coverage; that broad universe of testing improves overall security for everyone. Such testing may be done by customer security teams in isolation from the customer’s deployment team and SS8, helping increase fidelity with real-world attacks.
Particularly in government deployments, the SS8 platform is sometimes further intensified with a “red team” of attackers pitted against a “blue team” defending the environment. These exercises may involve advanced exploitation attempts, with red teams writing custom tools and using novel techniques. Reports on potential vulnerabilities identified through these attacks combine with the rest of the cyber analysis regimen to exceed industry standards and best
About Syed Hussain
Syed Hussain has spent more than 20 years working in the telecommunication and cyber security industry in Engineering and Product Management leadership roles. He brings significant technical expertise to his role as VP of Product Management for SS8’s Lawful Intelligence products, covering Service Providers and Law Enforcement market domains. He has led architecture and design of 4G and 5G Lawful Interception solutions in Cloud and non-cloud environments. Syed represents SS8 in both ETSI and 3GPP standards bodies and at technology summits and holds a BS in Computer Science and Engineering. You can learn more about Syed on his LinkedIn profile here.
About Dr. Okan Yilmaz
Dr. Okan Yilmaz has over 20 years of experience driving innovation and leading software engineering teams. As VP of Engineering at SS8, he is responsible for the design, development, and quality assurance of mission-critical products, including lawful intercept mediation, mobile network location intelligence, Law Enforcement Monitoring Center solutions, and AI/ML-powered intelligence data collection and analytics. Dr. Yilmaz holds a Ph.D. in Computer Science and an MBA from Virginia Tech. He also earned an M.S. in Computer Engineering and a B.S. in Computer Engineering & Information Science from Bilkent University. Learn more about Okan here.
About SS8 Networks
As a leader in Lawful and Location Intelligence, SS8 is committed to making societies safer. Our mission is to extract, analyze, and visualize critical intelligence, providing real-time insights that help save lives. With 25 years of expertise, SS8 is a trusted partner of the world’s largest government agencies and communication providers, consistently remaining at the forefront of innovation.
Intellego® XT monitoring and data analytics portfolio is optimized for Law Enforcement Agencies to capture, analyze, and visualize complex data sets for real-time investigative intelligence.
LocationWise delivers the highest audited network location accuracy worldwide, providing active and passive location intelligence for emergency services, law enforcement, and mobile network operators.
Xcipio® mediation platform meets the demands of lawful intercept in any network type and provides the ability to transcode (convert) between lawful intercept handover versions and standard families.
To learn more, contact us at info@ss8.com.
