Tony Danna, Principal Consultant
Tony Danna is a PrincipalConsultant with the EthicalHacking team and has specializedin information security for 15 years.Tony is a veteran of hundreds of international security assessments
and authored the team’s network
assessment methodologies. Hepreviously served as the leadsecurity engineer at a Fortune 500company and created and instructed a curriculum at alocal college for Information Security. We spoke with Tonyabout some of the critical issues facing application ownersand the technology industry.1. This year has revealed a number of sophisticatedcyber weapons such as Flame, Gauss, and Madiactively used for espionage or sabotage of major operations in Middle Eastern states. Do you believesuch weapons will be adapted for use againstinternational corporations in the next few years?This is really just an evolutionary stage that we are in.Malware is growing like mobile apps, with an iPhone in
Seeing as how they appear linked and,while mostly focusing on banks abroad, there have beeninfections against systems here in the US at large well-known companies. And really these are gaining such afoothold because their cousins have historically beensuccessful within existing corporations. I see this beingmore of a wake-up call for corporations, both domesticallyand internationally since they are the playground and test-bed for things to come. The bigger issue remains: thisshows the evolution of what conflict and diplomacy on ageopolitical stage can and will become. So in the next fewyears, it will be hard to tell, but I think [the threat will growin] leaps and bounds even in the next year and not just for corporations.2. Mobile malware has exploded across a variety of devices in the last few years while professionals aredemanding to
bring your own device
. Do you believethe risk can be balanced with the desire for flexibility?
I don’t think it is really about flexibility but rather the risk
around the whole BYOD trend that everyone likes to talk
about. It really isn’t addressing the real issue with mobile
apps or those devices everyone likes to
The rootissue is that mobile application security is no differentfrom a web application
s security and the way they shouldbe developed and secured. Mobile apps are built aroundthe fact that the device owner is in possession and theassumption that physical access is a given. But if mobileapps were addressed and developed in the same way asweb applications with the assumption that the client is infull control of the attacker, then the risks to these devicesby just installing an app would not be so high3. In your experiencing testing web applications, youencounter hundreds of unique threats andvulnerabilities.
Do any stand out in your mind as ‘highrisk but easy to fix’ that organizations should remedy
This is a trick question, right? I’d go with input validation
for $200, Alex. Why input validation? Because somethingas simple as a Web Application Firewall (WAF) can bevery effective at validating input and blocking all viableexploits in the interim until the longer-term fix isimplemented. Using something like mod_security thatsees all requests, you can set parameter-based white-listsand do a really good job of sanitizing input reaching theapplication and backend databases; obviously the closer
to the application code, the better. I won’t go as far as tosay secure code isn’t the best solution
, but if malicious
input can’t reach the application or the backend database,
then there are no exploitation vectors, given that theserver-
side code isn’
t in scope. Not the ideal SDLCanswer for input validation but if the result is the validatedinput and it is needed quickly, then there is nothing wrongwith the right tool for the right job.4. Many IT managers and resource sponsors seesecurity as a cost of doing business, much likeinsurance. How do you view information security froma financial perspective?Great analogy
nsurance. It’s a gamble for both parties.
Except if a breach or data-loss occurs,
you can’t really sayit wasn’t fiscally feasible when you’re in business with
data to protect and are responsible to many partiesregarding that protected data. Financially, it is just that, acost of doing business. You need servers, electricity for them, H
VAC so they don’t melt together
. Nothing shouldbe different about the data they hold or transactions theyprocess.5. What do you think is the most serious or commonmisconception about Information Security today?The reliance on vendors for patches to serious issues.Vendors are becoming more and more reluctant toconfirm vulnerabilities when proper disclosure is made,much less address it in a timely fashion. If a vendor
doesn’t release a patch, the road ends.
A close second would be that security is reactive andputting out fires just when
is in, akin toteaching kids only what they need to know to pass acertain test; it
doesn’t give a complete view
fn a field of knowledge and stifles the intended experience.
WHITE HAT SPOTLIGHT