Great power comes with great responsibility, and all heroes face the decision of using their powers for good or evil. These heroes I speak of are called white hat hackers, legal hackers, or, most commonly, ethical hackers. All these labels mean the same thing: A hacker who helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. If companies don't have an ethical hacker working for them, they're in a one-sided game, only playing defense against attackers.
Meet the Hackers
Companies house both developer and security teams to build out codes, but unfortunately, there often is little communication between the two teams until code is in its final stages. DevSecOps — developer and security teams — incorporates both sides throughout all of the coding process to catch vulnerabilities early on, as opposed to at the end, when making updates becomes harder for developers.
Although secure coding practices and code analysis should be automated- and a standard step in the development process - hackers will always try to leverage other techniques if they can't find code vulnerabilities. Ethical hackers, as part of the DevSecOps team, enhance the secure coding practices of the developers because of the knowledge sharing and testing for vulnerabilities that can be easily taken advantage of by someone outside the company.
Take, for example, Jared Demott. Microsoft hosts the BlueHat competition for ethical hackers to find bugs in its coding, and Demott found a way to bypass all of the company's security measures. Let that sink in for a moment — he found a way to bypass all of Microsoft's security measures. Can you imagine the repercussions if that flaw had been discovered by a malicious hacker?
Let the Hackers Hack
Security solutions (such as application security testing and intrusion detection and prevention systems) are a company's first line of defense because they're important for automatically cleaning out most risks, leaving the more unique attack techniques for the ethical hackers to expose. These could include things such as social engineering or logical flaws that expose a risk. Mature application security programs will use ethical hackers to ensure continuous security throughout the organization and its applications. Many organizations also use them to ensure compliance with regulatory standards such as PCI-DSS and HIPAA, alongside defensive techniques, including static application security testing.
You may be thinking, "What about security audits? Wouldn't they do the trick?" No, not fully. Ethical hacking is used to build real-world potential attacks on an application or the organization as a whole, as opposed to the more analytical and risk-based analysis achieved through security audits. As an ethical hacker, the goal is to find as many vulnerabilities as possible, no matter the risk level, and report them back to the organization.
Another advantage is that once hackers detect a risk, vendors can add the detection capability to their products, thus enhancing detection quality in the long run. For example, David Sopas, security research team leader for Checkmarx, discovered a potentially malicious hack within a LinkedIn reflected filename download. This hack could have had a number of potential outcomes, including a full-blown hijacking of a victims' computers if they had run the file. It's probably safe to say that just the audit wouldn't have identified this hidden flaw.
How to Hack
The good news for companies searching for someone to fill this role is that there are several resources for their own employees to learn more about ethical hacking and become a more-valuable asset.
The first step is to get certified. EC-Council has resources and certifications available, and if you want to continue brushing up on your ethical hacking skills, OWASP has you covered. While getting certified isn't a requirement, I highly recommend this, because getting the basics down will help to provide a foundation on which to build. After you have the basics down, there are many tools and automated processes that can be utilized, but ethical hackers usually use penetration testing and other, mostly offensive, techniques to probe an organization's networks, systems, and applications. In essence, ethical hackers use the same techniques, tools, and methods that malicious hackers use to find real vulnerabilities.
One Small Step for Companies, One Giant Leap for Hackers
What does this all mean for companies? Well, companies must first acknowledge how ethical hackers can help them. Strong application security programs need to focus both on the code security as it's being developed, as well as in its running state — and that's where ethical hacking comes into play. Nothing beats secure coding from the get-go, but mistakes do happen along the way, and that's where ethical hacking experts can make a difference in an organization.
At the next meeting on staffing, ethical hackers should be right at the top of the list of priorities to keep your company, and its data, safe.