Guide to Ethical Hacking: Tools and Free Tutorial on Ethical Hacking
What is Ethical Hacking?
Computer hacking is a practice with many nuances. Intent, whether
benign or malicious, is often in the eyes of the beholder. When
examining the root cause of a website hack or application exploit, it
pays to follow the money. A hacker will be motivated by whomever or
whatever is sponsoring his or her actions. The computer security
industry coined the term “ethical hacking” to describe a hacker who
benevolently attacks a network or other security system – whether
private or public – on behalf of its owners. Ethical hackers are also
called white hat hackers, as distinguished from the black-hatted bad
guys.
One grey area in ethical hacking is hacktivism, where the hacker detects and reports (but sometimes exploits)
security vulnerabilities
as a form of social activism. In these cases the motivation isn’t
money, but rather to call attention to an issue or injustice the hacker
believes merits social change. However, the victim of the hack may not
be so receptive to this message. Ethical hacking should always be
undertaken with the express advance consent of the targeted organization
– as many black hat hackers claim to be ethical hackers when caught.
Why Use Ethical Hacking?
Why pay someone to hack into your own application or website? To
expose its vulnerabilities of course. Any law enforcement officer will
tell you to prevent crime, think like a criminal. To test a security
system, ethical hackers use the same methods as their malicious
brethren, but report problems uncovered to their client instead of
taking advantage of them. Ethical hacking is commonplace in the Federal
government, where the practice initiated in the 1970s, and many large
companies today employ white hat teams within their information security
practice. Other online and internet slang terms for ethical hackers
include “sneakers”, red teams and tiger teams. Computer programmers can
even learn ethical hacking techniques from a variety of certification
authorities.
In the world of application security, online ethical hacking takes the form of
penetration testing.
“Pen tests” are performed in as realistic scenarios as possible to
ensure that the results accurately mimic what an intruder could
potentially achieve. Manual application testing employs human experts –
ethical hackers – that attempt to compromise the app and report what
they find. Typically a variety of tests are performed, from simple
information-gathering exercises to outright attacks that would cause
damage if actualized. A full blown ethical hack might even include
social engineering techniques such as emailing staff to dupe them into
revealing passwords and other account details.
Veracode and Ethical Hacking: Automated Tools to Expose Vulnerabilities
Penetration testing exposes software coding errors and other
vulnerabilities that threaten critical data, user accounts and other
application functionality. Not all pen tests are performed manually,
however. Ethical hackers may employ automated tools such as
static analysis
and dynamic analysis. Veracode performs both dynamic and static code
analysis and finds security vulnerabilities such as malicious code or
insufficient encryption that may lead to security breaches. Using
Veracode, penetration testers and other ethical hackers can spend more
time prioritizing and remediating problems and less time finding them.
.