They say the best defense is a great offense – and with application security, that’s certainly a big factor in staying ahead of the hackers. Organizations keen on keeping malicious hackers out of their systems will use any number of offensive measures as a way to find the kinds of holes attackers could use against them. Penetration testing, among other forms of offensive security, is perfect for the job – and ethical hacking has become an important part of an organization’s security program.
Strong application security programs need to focus both on the code security as it’s being developed, as well as in its’ running state – and that’s where ethical hacking comes into play. Nothing can beat secure coding from the get-go, but mistakes do happen along the way, and that’s where ethical hacking experts can really make a difference in an organization.
What is Ethical Hacking?
Some call them white hat hackers, others use the term legal hackers, and still others refer to them as pentesters. All of them mean the same thing: A hacker that helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. The idea behind ethical hacking is to pay the ‘good guys’ to find any holes the ‘bad guys’ would, before they can get to them.
Ethical hackers use penetration testing and other, mostly offensive, techniques to probe an organization’s networks, systems and applications. In essence, ethical hackers use the same techniques, tools, and methods that malicious hackers use to find real vulnerabilities – only in this case, they report them back to the organization for remediation…and a paycheck.
Why Use Ethical Hacking?
Ethical hacking is part of mature application security programs to ensure continuous security throughout the organization and its’ applications. Many organizations use it to ensure compliance with regulatory standards like PCI-DSS or HIPAA, alongside defensive techniques, including Static Application Security Testing (SAST).
As opposed to security audits, which are a bit similar, ethical hacking is done to find real vulnerabilities in the application or the organization as a whole, as opposed to the more high-level, risk-based analysis achieved through security audits. As an ethical hacker, your goal is to find as many vulnerabilities, no matter the risk level, and report them back to the organization.
Variations of ethical hacking techniques could even involve social engineering ploys to test the security awareness of the organization’s employees. These ethical hacking techniques include leaving potentially malicious USB’s in common areas, trying to engage employees in phishing attacks through email, or even posing as someone who needs access to sensitive areas, just to see how far they can get.
Whether by using automated tools, like the ones we’ll list below, or through more sneaky methods, ethical hackers can help significantly in finding any holes in the organization’s physical and virtual security protections, so they can fix the issues, enabling customers and the business to continue working securely.
How to Get Started with Ethical Hacking:
- Understand basic security concepts and techniques
Before setting out to choose a tool set, it’s a good idea to become very familiar, if you’re not already, with basic information security concepts, and deeper into more specific areas like network security and application security.
Getting the basics under your belt will help give you a foundation on which to build out your wider skill set. If you don’t have IT Security experience, you will most likely need to earn a certification.
Ethical hacking is a big undertaking, so starting with a solid base is essential – don’t skimp on the basics. Keep in mind that the companies hiring you will want to know you understand the business imperatives of what you’re doing, so either a certification or degree are more likely to get you noticed.
What resources are available for ethical hackers? For web application security, start with OWASP. They offer a fantastic set of resources for web app testing, which you can find here, and have a supportive community and chapters worldwide. Find your closest chapter here. For ethical hacking guidance, a great place to turn is toolswatch.org, run by Nabil Ouchn (@toolswatch), which offers free resources on security practices, hacking tools, and other news and trends.
<< Newbie to Application Security? You’ll find Checkmarx’s AppSec Beginner’s Guide handy >>
- Strengthen your security education with defense and attack practice
Once you have a solid understanding of security concepts and hacking techniques, the next step is to turn theory into practice. The cliche practice makes perfect fits all too well here, because only with enough practice attacking and defending increasingly difficult scenarios will you become a professional ethical hacker.
OWASP offers a couple options to help ethical hackers gain more experience. One offering, free as all OWASP material is, is the OWASP Broken Web Applications project. Built to help strengthen both defensive and offensive techniques against OWASP Top 10 vulnerabilities, OWASP Broken Web Applications offers a virtual machine to attack and defend multiple custom web apps.
We’ve also written a couple collections of various types of web apps, mobile apps, and VMs that allow you to practice your hacking skills in a legal way. Dig into a couple of these sites, and try it out!