You are here

Want to improve quality? Give ethical hackers access to your code

public://pictures/jethro_lloyd_headshot_0.jpg
Jethro Lloyd, CEO and President, iLAB

If you’re hiring a hacker to conduct penetration testing, you might think that sending the hacker a target URL is all he or she needs. In fact, this might even seem fun, like giving the hacker a challenge. After all, that puts the hacker in the same position as a criminal, right? If the hacker can't find the flaws, then a criminal won't either.

The main outcome of this black-box approach is a false sense of security on the part of the application owner. When you hire an ethical hacker to conduct penetration testing, you need to trust the hacker all the way to the code and back. Otherwise, you won't learn anything from the hacker about your system's real security.

"But my development team already tested the code."This is what at least some of you are thinking right now. The main reason that internal quality assurance testing isn't enough is confirmation bias. Testing isn’t always designed to uncover issues. Many times, I find that internal QA testing during development has been conducted only to get a pass for the code and move on to the next sprint.

In other cases, looking at the code for weeks and months means that errors of logic or syntax are simply overlooked. Everyone is human. Everyone makes mistakes—even your development team. The point of hiring an ethical hacker is to find those mistakes and protect yourself from the worst of them.

[ Get up to speed fast on the state of app sec and risk with TechBeacon's new guide. Plus: Get the 2019 Application Security Risk Report. ]

What is ethical hacking, anyway?

The term was coined in 1995 by John Patrick, then a vice president at IBM. But the idea of ethical hacking has been around much longer. In fact, all hacking started out as ethical back in the 1960s. It wasn’t until computers became widespread tools for business and private use that the opportunity for crime presented itself. Until then, developers and testers were just trying to break things in order to make them work better.

It's now common to see these types of white-hat or ethical hackers welcomed into the fold by businesses that want an expert to find the flaws in their applications—without exploiting those flaws for personal gain.

Tips: Research your hacker

  • There are plenty of individuals and businesses fully capable of conducting penetration testing and earning you great results. But it's essential to get recommendations and ask for proof of past success before you take any of the steps that follow.

  • If an ethical hacker doesn’t have past clients willing to talk about their experiences, that person is not likely a good choice for your project.

How can ethical hacking be used poorly?

Businesses that hire ethical hackers are trusting a proven hacker to break their system—a great instinct. To make your app secure against hackers, you want a hacker testing it.

But it's a mistake to ask an ethical hacker to try to break into the app from the outside, the same as a criminal on the Internet would need to do. While the hacker might do well at breaking your system, you will have little or no idea how to fix it once the hacker is done.

By doing nothing more than sending your ethical hacker a URL and saying, "Have at it," you’re not going to learn as much as you might with a more open approach. In fact, all you're really going to prove is that there are risks, which is something you should pretty much assume to begin with.

After the hacker is done performing a black-box test from the inside, the hacker won’t be able to tell you the causes of the defects he or she found or help you address deeper vulnerabilities in your code.

On the other hand, a criminal with the right knowledge will be happy to find those issues—he just won't be nice about it once he does.

[ Take a deep-dive with our Application Security Trends and Tools Guide, which includes TechBeacon's 2019 App Sec Buyer's Guide. ]

The right way to use ethical hackers

When they have access to your product's code and internal structure, ethical hackers can focus their attention on deep, mission-critical concerns. This is far more efficient than spending valuable (and expensive) time looking for surface vulnerabilities to gain entry. Why would you pay money to ask an ethical hacker to play a fancy game of hide and seek?

I'm not saying that testing from the user's point of view doesn't also have value. But the goal here is to establish a robust understanding of your system's actual security. That means that testing from the development side is essential and should be a higher priority.

Tips: Define priorities with your hacker

  • One way you can maximize your spend with an ethical hacker is to ask the hacker to focus on the key features or components you know carry the largest risks. For instance, maybe your site stores or transmits financial information, or medical data protected by laws such as HIPAA. Those areas are high risk and of high value to criminals.
  • Instead of asking the hacker to find any and all issues system-wide, get the hacker to find exactly the ways your worst nightmares could come true.

What an ethical hacker needs to work

If you really want an ethical hacker to assess the deepest and scariest risks in your application, the hacker needs a lot more than just typical user access. To start, it's useful to discuss your previous test cases and the outcomes. Maybe users need to complete a form, or use the app to transfer money, or schedule an appointment. What are all the different routes the hacker can use to complete those essential processes? Where have you found and corrected defects in the past?

An ethical hacker will also need access to your source code. This will empower the hacker to ensure that all internal processes have been put under pressure. Depending on the hacker's skill set and capability, you may even ask him or her to perform a code review to look for logic errors, syntax, or loops. On the other hand, I find it's usually best to leave that level of mundane work to automation, while human minds tackle the real challenges.

Tips: Give hackers something to lose—starting with their pay

  • When negotiating a contract with an ethical hacker, it's essential to define the hacker's responsibilities and establish stakes for the enterprise and the contractor. If the hacker's actions in the code cause deeper issues or a total system failure, you must make it clear this is the hacker's responsibility and liability.
  • Make it clear in the terms of the deal when the hacker's work is done and what deliverables you expect to be provided, whether that is a report, support for your developers, or a second round of testing once the defects are addressed.
  • Last, establish stringent guidelines around confidentiality and communication, and make sure the contractor understands those are legally binding.

Tread carefully

Hiring an ethical hacker to do nothing more than poke at your app from the outside and tell you that yes, your application has bugs, is a waste of money nine times out of ten.

Of course your product has defects. It will probably always have defects. Hiring someone to prove this through testing won't tell you anything you don't already know. The real questions are: What do those defects mean? What risks do they open you up to? And most importantly, how are you going to fix them and protect yourself, your business, and your users?

Without access to your source code and a knowledge of the internal structure of the product, an ethical hacker can’t really help you answer these questions. All you’ll have done with a black-box approach to penetration testing is pay a hacker a boatload of money to tell you a little more information about something you pretty much already knew.

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]