Tony Friar, the lead author and editor of FS.38, notes that for many years, telecoms security was often an afterthought—networks were built, launched, and only then were security mechanisms considered. Even when security was designed in from the start, those features were frequently disabled in practice. The industry historically operated on a basis of trust, not zero trust, and often relied on a single defense layer, such as a firewall. This mindset has become untenable in an era where vast amounts of protocol knowledge are readily available online, including on the darknet, and where attacks on telecom networks have grown both in volume and in sophistication.
Are you looking into specific protocols (such as SS7 or Diameter protection), or purely focusing on SIP? gsma fs.38
If you are a product manager or CTO, the cost of FS.38 assessment (typically $15,000–$50,000 based on complexity) may seem steep. However, the cost of not certifying is far higher: Tony Friar, the lead author and editor of FS
These sophisticated exploits use malformed SIP headers or complex session states that require heavy processing power from core nodes, exhausting system memory and CPU cycles without triggering basic volumetric thresholds. 2. Privacy Violations and Information Disclosure This mindset has become untenable in an era
According to the , FS.38 focuses on several critical areas:
Provides the overarching "Baseline Security Controls" for the entire mobile ecosystem.