There are a variety of legitimate reasons why someone might want to fuzz a VoIP application. We have broken out the likely scenarios into three main categories.
The number of discovered security vulnerabilities in software applications and operating systems in the last few years has been steadily increasing. The impact of such flaws, in terms of bad publicity, support calls, and the erosion of customer confidence, has been incalculable to vendors.
As a result, some vendors are becoming more aware of the benefits of writing secure software and building secure platforms. However, historically, the core competency of most software and device vendors has been in product development and not security. As a result, despite a vendor's best efforts, products released to customers are often found to have vulnerabilities after deployment.
As security becomes more and more of a differentiator in the VoIP marketplace , it behooves vendors to test the security and robustness of their applications proactively, rather than deal with the embarrassment of a public security hole in their products.
Companies with a mature security process strive to be proactive in their efforts to reduce vulnerabilities and minimize the risk of successful compromises. More and more, enterprises , large corporations, and service providers are beginning to perform vulnerability assessments on any large scale technologies they are considering installing within their organization.
Many times, the corporate security team will be charged with "shaking the tree" to find any easily exploitable security problems with potentially deployed VoIP applications. The problems need not be severe code execution vulnerabilities; even simple denial of service issues can easily disrupt the availability of these applications. Some larger corporations will actually leverage their buying power to force the vendor to fix any issues found in this discovery process before making a purchase. In some cases, a product with numerous security issues might be rejected in favor of another product with fewer features but more security.
Over the past few years, no one can deny the obvious increase in the number of capable security researchers as well as the advancement of publicly available security researching tools. Many of these researchers are gainfully employed by security vendors or information security consulting firms, while others are independent or self-styled hobbyists who enjoy picking apart software for its own sake. Regardless of the particular motivations, more and more security holes are discovered today by third parties rather than the affected vendor.