How Can OTT Service Providers Benefit From A Security Audit?

Andrew Pope,  Senior Solutions Architect, Friend MTS

It’s undeniable that content fraud is a huge problem within the entertainment industry. With piracy now costing the industry as much as $29 billion each year in the US alone, broadcasters, operators and content owners are working harder than ever before to protect their valuable video content. However, their responsibilities don’t just include monitoring the web for illegal content sharing and ensuring its takedown. Rapid advancements in defence penetration mean that content platforms themselves are also under attack. 

A crucial approach to ensure that over-the-top (OTT) platforms and other services are not subjected to piracy is to carry out regular security audits. These audits provide an invaluable opportunity for platforms to detect potential vulnerabilities before malicious actors exploit them. In this blog, we examine how security audits can provide insights into performance, security, and more.

Why should you consider a security audit?

Security audits don’t just expose potential vulnerabilities. It’s a chance for platforms to examine their application hardening, certificate pinning, detection of device rooting, encryption, code and traffic obfuscation, as well as carry out API analysis. In essence, all aspects of a platform are examined to ensure that they not only deliver content to paying consumers seamlessly but can withstand serious malware attacks. 

The security that was state of the art a few years ago will quickly become outdated and obsolete as pirates continue to find new ways to steal legitimate content, and security audits ensure that your security measures are up to the standard required. Audits should therefore be periodic, rather than a one-off activity, as pirates always evolve new attacks. Similarly, as platforms continue to add new features regularly, the audits should be performed again to ensure they have not resulted in a weakened security posture.

How is a security audit carried out?

Security audits will be tailored to each client individually as no two platforms are the same. That being said, typically an audit will begin by running monitoring on the client’s content. This will detect any ‘leaks’ of content which will then be analysed to ascertain the source, to indicate any areas of weakness the platform may have that are being exploited. These can then be addressed to avoid further exploitation. 

Once this is complete, generally a more in-depth review will occur, using reverse engineering to determine if the client’s apps or web content have any weaknesses that could be used to gain access to unauthorised and/or decrypted content. If there are, techniques like application hardening, code obfuscation and white box cryptography can be introduced to prevent these vulnerabilities from arising in the future. 

Regardless of the process used to audit each specific client, a security audit will take a deep dive into every area of the platform to assess all vulnerabilities, making sure that all apps, sites and services conform to the very latest security standards and protocols. 

The benefits of a security audit

There are a whole host of benefits that come from a security audit. Aside from the obvious improvements to ensure that there are no security risks, it also has a positive impact on a company’s reputation and finances. Insecure platform might have an unfavourable image within the industry, so being tested to ensure that pirates cannot easily source content from them will allow the platform to retain a reputation for high-security standards. Identifying platform weaknesses, enables the client to shut them down, which can have a positive effect on subscriber numbers by attracting subscribers who may have watched their content illegally in the past. 

Security audits from Friend MTS

A security audit from Friend MTS will highlight how a platform can be better protected to prevent pirates from exploiting it. Typical vulnerabilities revealed by a security audit by Friend MTS may include:

• Credentials being exchanged in the clear and reused to instantiate multiple sessions
• Weak session concurrency management
• Exchange of encryption keys delivered in manifests
• Clearkey injection

By pinpointing these vulnerabilities, you can implement solutions to thwart future pirate attacks and prevent potential revenue loss to pirates. Furthermore, the beauty of a security audit from Friend MTS is that it will not require any downtime. Security audits are designed not to stress the OTT delivery platform, meaning that it will not interfere with day-to-day operations while it is carried out.

No perfect solution exists

While a single security audit represents high value, this alone is not sufficient to keep your content safe. It must be part of a company-wide mindset of ongoing vigilance, education, and technological maintenance. Security audits should be performed at least annually or following any significant software deployment.

To find out more about how a security audit can help your organisation, get in touch to speak with one of our experts.

Talk to us