Think like a hacker

Jeff Feinman
February 15, 2009 —  (Page 1 of 6)
In the eyes of Mike Weider, the correct way of doing software security testing requires getting into the mind of the hacker.

The director of security products for IBM Rational said it takes a special breed of software professional to step into the driver’s seat of a hacker’s mentality and take the wheel. While quality assurance professionals can do security testing and smoke out some vulnerabilities, they usually have the customers’ thoughts in mind rather than those of the hacker.

“There is a need for this specialized security testing professional to anticipate how hackers think and use this slightly different way to test applications,” Weider said.

From a technology standpoint, there are two main approaches for testing software for security, and they are well known to developers and testers. One is exercising the software from what many call the outside-in approach: testing to see how the application responds to a simulated attack. The second is more of an inside-out approach, which looks for coding patterns that would highlight vulnerabilities in the code.

But security testing can be fundamentally a different ballgame than traditional testing because the emphasis is put on what an application should not do rather than what it should do. First, users don’t usually try to search out software bugs, while malicious attackers intentionally seek out vulnerabilities. When vulnerabilities are found by hackers, problems arise for other users instead of just a developer or group of developers.

Additionally, developers usually learn to avoid poor programming practices for their own projects, but it is difficult for security testers to keep up with the latest exploits because they grow every year. This makes it more difficult to ensure that secure programming practices are followed.

So what is the best way to carry out proper security testing? Vic DeMarines, vice president of products at security tool maker Vi Labs, shared Weider’s notion that testers need to think like the attackers themselves and to look for the easiest way to initiate a threat. Applications will have different levels of threats, depending on the nature of the application.

Related Search Term(s): professional development, security, testing, IBM, Fortify, Klocwork, Vi Labs

Pages 1 2 3 4 5 6 

Share this link:


06/23/2009 10:30:01 AM EST

On a related note and for similar content, see our book "The Art of Software Security Testing" published in 2006, for example chapters 1, pg 11 "Think like an Attacker" and chapter 3 "The Secure Software Development Lifecycle"

United StatesElfriede Dustin

IIST: Knowledge of testing essential for successful agile development
Organization provides agile testing certification in order to ensure software testing roles in agile Read More...

News on Monday  more>>
Android Developer News  more>>
SharePoint Tech Report  more>>
Big Data TechReport  more>>



Download Current Issue

Need Back Issues?

Want to subscribe?