HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

IPHONE APP

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON IPHONEDEVCON ANDEVCON ESDC PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Three non-programming books for your booklist
Aside from programming skills, developers should know how management works and how to oper...

Microsoft pushes Windows Phone 7 development tools
Ahead of the smartphone's release, Microsoft is letting developers download its tools in a...

Windows & .NET Watch: LightSwitch turns up
Microsoft's newest development environment will need to go a long way to fulfill its poten...

JavaOne returns with an Oracle twist
Oracle OpenWorld will be bigger than ever this year as the event adds JavaOne to the sched...

Microsoft pushes Windows Phone 7 development tools
Ahead of the smartphone's release, Microsoft is letting developers download its tools in a...

JavaOne returns with an Oracle twist
Oracle OpenWorld will be bigger than ever this year as the event adds JavaOne to the sched...

A fast start for an open-source cloud
Three developers from the OpenStack project talk about its already-thriving community and ...

Lattix introduces browser-based architecture management solution
Update offers ability for users in disparate locations to view software’s architecture, de...

VMworld hops to it
Data center operating systems play a big part at VMworld, but it's still too soon.

Certificate program for secure cloud computing
The Cloud Security Alliance introduces user certification.

What does the Army's Crusher tank and RIM's tablet computer have in common?
RIM plans to use Crusher tank technology on its yet-to-be-announced tablet.

Some helpful links
A list of links to example programs implemented across multiple languages.

Realize Effective Distributed Development via a Virtual Software Factory Explore the ways in which IBM Rational can make distributed development a reality in your...

Simplify Issue & Project Tracking - Free 30 Day Download Application development teams constantly find themselves under pressure to increase the s...

Agile Development Requires Agile Processes For far too long, the general demeanor for software development lifecycle (SDLC) process i...

Application Lifecycle Management in the Oracle Environment If your organization has invested in Visual Studio and you develop on Oracle databases, yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

GET THE APP!

Outrunning the Bears

In-house hackers help Web sites stay steps ahead by finding vulnerabilities before they are exploited

By Jeff Feinman

July 1, 2007 — (Page 1 of 3)
The term “hackers” does not merely represent the villains that break into Web sites to do malicious things and steal important information. There are the white knights of the hacker society as well, scanning Web sites and conducting penetration tests to find vulnerabilities. Ethical hacking has become a security tool, as organizations seek out their vulnerabilities before the wrong sets of eyes find them.

BUGS FOR SALE
A developer for the open source Metasploit project, a computer security project that provides help and tooling for penetration testing, said that hackers are starting to sell the vulnerabilities they find because bugs are getting harder to find. The developer, who asked to be referred to only as Pusscat, said sale prices depend on what the bug is.

Pusscat and other developers contribute exploit code to Metasploit on an ad hoc basis. Exploit code is code that takes advantage of a software vulnerability to subvert some security mechanism, most usually to execute arbitrary code on the system within the context of that process.

“There’s a lot of time and effort that goes into finding [vulnerabilities], and even more that goes into exploiting them,” Pusscat said. “It’s basically free work you’re giving the company if you disclose the bug. The ones that get disclosed are usually disclosed by people who think they have more going for them in name recognition than in selling the bug.”

Pusscat also said that hackers can achieve a great deal of fame and a stronger resume if they release vulnerabilities publicly.

Both Pusscat and Scott Laliberte, director of security assessments for Protiviti, a provider of audit and technology risk consulting services, said most hackers follow the unwritten rule of responsible disclosure, which calls for informing the company and giving them the information you have on the vulnerability, while the company in turn gives a timeline for fixing the patch.

Sometimes the researcher and the company can negotiate an acceptable time line, with the researcher vowing to keep it quiet until that date, and the company crediting the researcher for finding it, according to Pusscat.

Pages 1 2 3

Share this link: http://www.sdtimes.com/link/30856

What Bears Repeating Software development is hard. Software development can be made easier by disciplined team and managerial practices. The best programmers are...

SD West Bears Development Fruit SANTA CLARA — The SD West conference, held here in late March, played host to development tools vendors both new...

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 9/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

VMworld hops to it
Data center operating systems play a big part at VMworld, but it's still too soon.
09/02/2010 01:42 PM EST

Certificate program for secure cloud computing
The Cloud Security Alliance introduces user certification.
09/01/2010 04:20 PM EST

What does the Army's Crusher tank and RIM's tablet computer have in common?
RIM plans to use Crusher tank technology on its yet-to-be-announced tablet.
08/25/2010 04:16 PM EST