What is Ethical Hacking?
Computer hacking is a practice with many nuances. Intent, whether benign or malicious, is often in the eyes of the beholder. When examining the root cause of a website hack or application exploit, it pays to follow the money. A hacker will be motivated by whomever or whatever is sponsoring his or her actions. The computer security industry coined the term “ethical hacking” to describe a hacker who benevolently attacks a network or other security system – whether private or public – on behalf of its owners. Ethical hackers are also called white hat hackers, as distinguished from the black-hatted bad guys.
One grey area in ethical hacking is hacktivism, where the hacker detects and reports (but sometimes exploits) security vulnerabilities as a form of social activism. In these cases the motivation isn’t money, but rather to call attention to an issue or injustice the hacker believes merits social change. However, the victim of the hack may not be so receptive to this message. Ethical hacking should always be undertaken with the express advance consent of the targeted organization – as many black hat hackers claim to be ethical hackers when caught.
Why Use Ethical Hacking?
Why pay someone to hack into your own application or website? To expose its vulnerabilities of course. Any law enforcement officer will tell you to prevent crime, think like a criminal. To test a security system, ethical hackers use the same methods as their malicious brethren, but report problems uncovered to their client instead of taking advantage of them. Ethical hacking is commonplace in the Federal government, where the practice initiated in the 1970s, and many large companies today employ white hat teams within their information security practice. Other online and internet slang terms for ethical hackers include “sneakers”, red teams and tiger teams. Computer programmers can even learn ethical hacking techniques from a variety of certification authorities.
In the world of application security, online ethical hacking takes the form of penetration testing. “Pen tests” are performed in as realistic scenarios as possible to ensure that the results accurately mimic what an intruder could potentially achieve. Manual application testing employs human experts – ethical hackers – that attempt to compromise the app and report what they find. Typically a variety of tests are performed, from simple information-gathering exercises to outright attacks that would cause damage if actualized. A full blown ethical hack might even include social engineering techniques such as emailing staff to dupe them into revealing passwords and other account details.
Veracode and Ethical Hacking: Automated Tools to Expose Vulnerabilities
Penetration testing exposes software coding errors and other vulnerabilities that threaten critical data, user accounts and other application functionality. Not all pen tests are performed manually, however. Ethical hackers may employ automated tools such as static analysis and dynamic analysis. Veracode performs both dynamic and static code analysis and finds security vulnerabilities such as malicious code or insufficient encryption that may lead to security breaches. Using Veracode, penetration testers and other ethical hackers can spend more time prioritizing and remediating problems and less time finding them.
Written by: Fergal Glynn