By Ryan O'Leary, WhiteHat Security
If your company develops web applications, I hope you aren't the nervous sort when I tell you that your website is most likely being targeted for hacking as you read this. If you're a security manager, it really shouldn't come as a surprise, though. Web apps are the most exploited means of illicit entry by hackers.
The Verizon 2016 Data Breach Investigations Report says that web application attacks represented 40 percent of all data breaches in 2015. The total global cost of data breaches today is $360 billion and, according to the Ponemon Institute, the average total cost of a single breach is $4 million.
I tell you this not to ruin your sleep but rather to let you know you that there is a solution: hire a good-guy hacker to find vulnerabilities before the bad guys do, and then have your developers fix them.
You and your customers will be spared what could be truly enormous losses. The best way to discover your application vulnerabilities is to hack yourself.
Hiring an Ethical Hacker
However, hiring a competent, ethical hacker on your own isn't the easiest thing to do, because supplies are limited. And you have to be sure they are reputable. After all, hackers are trained in the dark arts, so you need to be confident that not only are they skilled but also that they won't use what they find on your website for nefarious purposes. At the very least, they need to pass a stringent background check, like any security employee.
Ethical hackers are an unusual breed. They have the same skills as bad-guy hackers, but they choose to use those skills for good. And they're up against a formidable array of troublemakers:
- Hacktivists, whose motivation may be politics, exposing wrongdoing or exacting revenge
- Organized crime hackers, who want to steal your money, data and computing resources
- Nation-state and terrorist hackers, driven by politics or religion
How Does an Ethical Hacker Think?
When I hire potential application security engineers, I look for a certain mindset: "How can I break something?" The hacker personality likes to figure out how something works and then try to reverse engineer or otherwise subvert it. It's a point of view you can't teach.
I remember once we had a group of hacker applicants in the lobby and one of them whiled away his time figuring out how to hack the lobby soda machine. He was successful -- and then he put the soda can back, because he wasn't after a free Coke; he just wanted to see if he could do it. I didn't have any hesitancy in picking that guy to hire.
The other vital quality I look for is the drive to learn new things, because being a successful hacker is all about keeping up to date with the latest trends. And there is always something new coming along. Right now potential vulnerabilities include:
- Information leakage
- Predictable resource location
- Directory indexing
- Insufficient transport layer protection
- Zero-day vulnerabilities such as POODLE, HeartBleed, Shellshock and Java
And there are many potential ways that cybercriminals can exploit those vulnerabilities, such as:
- Cross-site scripting
- Filter evasion for XSS
- Social engineering
- Content spoofing
- URL redirector abuse
Where to Find an Ethical Hacker
One place to look for good-guy hacker hiring recommendations is a local chapter meeting of the Open Web Application Security Project. Find one, attend and make friends; the application security community is a small but tight-knit and helpful group. There are also companies that will provide safe, certified experts as well as software tools to hunt down the vulnerabilities in your websites and apps.
When the security expert arrives, you'll tell him or her your priorities and he or she will get to work, most likely vetting your flagship website first. Once you find out where the vulnerabilities lie -- and there always are some, in my experience -- you'll develop a plan to fix them. And remember, bugs and vulnerabilities may be lumped together as "defects," but vulnerabilities --with their greater potential for disaster -- should get first priority in the repair queue.
Emphasis on Application Security
Going forward, you need to make AppSec an embedded part of the development process. It's much cheaper to fix vulnerabilities in development than in QA. Among other things, that means security and development must become a tightly bonded team.
You may find your developers initially resist or resent the security expert’s involvement. Developers are all about speed of release and quality of code, and they may have little or no security training or mind set. They often view security experts as roadblocks.
The solution is a companywide emphasis on security and secure coding training for the developers. It's true that security testing will slow down the development process a little, particularly at first before people get used to it. But eventually security is just seen as another part of QA, with everyone striving toward the same goal: a secure product.
Sometimes security managers or their leadership are leery of employing their own good-guy hacker, because they don't want to know the bad news. It's like staying away from the doctor to avoid hearing that you have medical problems. That's human nature, maybe, but not wise. The hacker mindset, however, is an invaluable addition both to the security team and to the DevOps team the hacker (hopefully) collaborates with.
Remember, each vulnerability you eliminate is one less chance of being hacked. Corny or not, "knowledge is power." The more you know, the more you can prevent your organization from experiencing a potentially devastating breach. A good-guy hacker could make the world of difference in your security posture.
Ryan O'Leary is vice president of the Threat Research Center at WhiteHat Security. WhiteHat Security combines technology and human intelligence to deliver solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and websites.