Strong application security programs need to focus both on the code security as it’s being developed, as well as in its’ running state – and that’s where ethical hacking comes into play. Nothing can beat secure coding from the get-go, but mistakes do happen along the way, and that’s where ethical hacking experts can really make a difference in an organization.
Some call them white hat hackers, others use the term legal hackers, and still others refer to them as pentesters. All of them mean the same thing: A hacker that helps organizations uncover security issues with the goal of preventing those security flaws from being exploited. The idea behind ethical hacking is to pay the ‘good guys’ to find any holes the ‘bad guys’ would, before they can get to them.
Ethical hackers use penetration testing and other, mostly offensive, techniques to probe an organization’s networks, systems and applications. In essence, ethical hackers use the same techniques, tools, and methods that malicious hackers use to find real vulnerabilities – only in this case, they report them back to the organization for remediation…and a paycheck.
Ethical hacking is part of mature application security programs to ensure continuous security throughout the organization and its’ applications. Many organizations use it to ensure compliance with regulatory standards like PCI-DSS or HIPAA, alongside defensive techniques, including Static Application Security Testing (SAST).
As opposed to security audits, which are a bit similar, ethical hacking is done to find real vulnerabilities in the application or the organization as a whole, as opposed to the more high-level, risk-based analysis achieved through security audits. As an ethical hacker, your goal is to find as many vulnerabilities, no matter the risk level, and report them back to the organization.
Variations of ethical hacking techniques could even involve social engineering ploys to test the security awareness of the organization’s employees. These ethical hacking techniques include leaving potentially malicious USB’s in common areas, trying to engage employees in phishing attacks through email, or even posing as someone who needs access to sensitive areas, just to see how far they can get.
Whether by using automated tools, like the ones we’ll list below, or through more sneaky methods, ethical hackers can help significantly in finding any holes in the organization’s physical and virtual security protections, so they can fix the issues, enabling customers and the business to continue working securely.
Before setting out to choose a tool set, it’s a good idea to become very familiar, if you’re not already, with basic information security concepts, and deeper into more specific areas like network security and application security.
Getting the basics under your belt will help give you a foundation on which to build out your wider skill set. If you don’t have IT Security experience, you will most likely need to earn a certification.
Ethical hacking is a big undertaking, so starting with a solid base is essential – don’t skimp on the basics. Keep in mind that the companies hiring you will want to know you understand the business imperatives of what you’re doing, so either a certification or degree are more likely to get you noticed.
What resources are available for ethical hackers? For web application security, start with OWASP. They offer a fantastic set of resources for web app testing, which you can find here, and have a supportive community and chapters worldwide. Find your closest chapter here. For ethical hacking guidance, a great place to turn is toolswatch.org, run by Nabil Ouchn (@toolswatch), which offers free resources on security practices, hacking tools, and other news and trends.
<< Newbie to Application Security? You’ll find Checkmarx’s AppSec Beginner’s Guide handy >>
Once you have a solid understanding of security concepts and hacking techniques, the next step is to turn theory into practice. The cliche practice makes perfect fits all too well here, because only with enough practice attacking and defending increasingly difficult scenarios will you become a professional ethical hacker.
OWASP offers a couple options to help ethical hackers gain more experience. One offering, free as all OWASP material is, is the OWASP Broken Web Applications project. Built to help strengthen both defensive and offensive techniques against OWASP Top 10 vulnerabilities, OWASP Broken Web Applications offers a virtual machine to attack and defend multiple custom web apps.
We’ve also written a couple collections of various types of web apps, mobile apps, and VMs that allow you to practice your hacking skills in a legal way. Dig into a couple of these sites, and try it out!
After you’ve gotten a solid security education and an understanding of the defense and offense techniques for fending off would be attackers – and finding the holes they would have used to get in – it’s time to choose your tool set.
Ethical hackers use all sorts of different tools, so it’ll be a bit of trial and error as you start using them. There are the industry standards which most ethical hacking experts use, such as Metasploit, NMap, and others, which we’ll get to below. But there are also more niche tools that you’ll use once you’ve chosen and are learning a certain expertise. Again, sites like ToolsWatch are especially helpful in offering advice for both standard and more specific types of ethical hacking tools.
There is an ocean of ethical hacking tools to choose from – the real challenge is to find the best ones for the job. These nine tools offer just a slice of the available offerings, but they are some of the most popular and most well-regarded – and all of them are free. If you’re looking for a wider range of network security tools, NMap project author Fyodor maintains a list of 125 of the top tools on SecTools.org.
Designed as a more user-friendly front-end version for the Metasploit framework, Armitage has quickly risen the ranks to become one of the most loved penetration testing frameworks for networks and IT infrastructure.
Read more about Armitage and download here.
Nmap, which stands for Network Mapper is another beloved, free and open-sourced utility, serving as a network discovery and security auditing tool. It’s used to discover a networks services and hosts to create a map of the network, which it then analyzes.
If you’ve never heard of NMap, you’ve probably seen it, as it’s been featured as the go-to hacking tool in many movies and TV shows. But don’t take Matrix Reloaded’s word – try out the tool here and see its’ powers for yourself.
WireShark is another industry standard, offering network protocol capture and real-time analysis. The tool gives ethical hackers a deep look into network traffic and zoom in on individual packets, and offers beginners a nice intro to TCP/IP.
Download WireShark here, where you will also find training materials, including info on online webcasts and in-person conferences, which may come to your area. How-To Geek also offers a nice guide to capturing, filtering and inspecting packets here.
Faraday’s pentest environment, which recently ranked #6 on the top security tools list by ToolsWatch.org, offers a new way to perform pentesting – in an IDE. The tool is built for the analysis, indexation and distribution of the data.
Get Faraday’s pentest environment here.
Built with a bundle of other security modules integrated, IronWASP is a web app security scanning system that detects over 25 common vulnerabilities with the ability to add custom scanning tools for your own security testing needs. Its’ simplicity makes it a great tool for beginners, as well.
Download IronWASP here.
Android apps are becoming more mainstream in organizations, and more organizations are building Android apps. Security is a major concern when it comes to the Android platform, and Drozer can help mobile ethical hackers find the weak spots in Android apps.
Read more about Drozer and download the tool here.
While Android apps are notoriously vulnerability-ridden, their Apple counterpart has enough issues of its own. Use Clutch to decrypt iOS apps and see if any security vulnerabilities exist.
A pentest tool designed specifically for web browser vulnerabilities, including those within mobile environments, BeEF was created to assess target environments using client-side attack vectors.
We already noted that ethical hackers won’t only be testing networks, systems and applications. They’ll also need to test the security awareness of employees. The Social Engineering Toolkit, or SET for short, is a tool with multiple attack vectors, all specifically designed for social engineering.
Possible uses include spear-phishing, malicious USB attempts, and various types of web app attacks – all aimed at helping find the weak spots in your employees. SET even integrates into Metasploit for an even wider range of functionalities.
Read more about getting started with SET here and download here.
What other ethical hacking tools would you recommend?
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.