Think like a hacker
February 15, 2009 —
(Page 1 of 6)
Related Search Term(s): professional development, security, testing, IBM, Fortify, Klocwork, Vi Labs
In the eyes of Mike Weider, the correct way of doing software security testing requires getting into the mind of the hacker.
The director of security products for IBM Rational said it takes a special breed of software professional to step into the driver’s seat of a hacker’s mentality and take the wheel. While quality assurance professionals can do security testing and smoke out some vulnerabilities, they usually have the customers’ thoughts in mind rather than those of the hacker.
“There is a need for this specialized security testing professional to anticipate how hackers think and use this slightly different way to test applications,” Weider said.
From a technology standpoint, there are two main approaches for testing software for security, and they are well known to developers and testers. One is exercising the software from what many call the outside-in approach: testing to see how the application responds to a simulated attack. The second is more of an inside-out approach, which looks for coding patterns that would highlight vulnerabilities in the code.
But security testing can be fundamentally a different ballgame than traditional testing because the emphasis is put on what an application should not do rather than what it should do. First, users don’t usually try to search out software bugs, while malicious attackers intentionally seek out vulnerabilities. When vulnerabilities are found by hackers, problems arise for other users instead of just a developer or group of developers.
Additionally, developers usually learn to avoid poor programming practices for their own projects, but it is difficult for security testers to keep up with the latest exploits because they grow every year. This makes it more difficult to ensure that secure programming practices are followed.
So what is the best way to carry out proper security testing? Vic DeMarines, vice president of products at security tool maker Vi Labs, shared Weider’s notion that testers need to think like the attackers themselves and to look for the easiest way to initiate a threat. Applications will have different levels of threats, depending on the nature of the application.