How to hire a hacker: 8 tips to lift your application security game
What with ingenious data thieves and sloppy users, penetration testing is a good, and maybe essential, way to find vulnerabilities before the bad guys do. Even if technology such as firewalls and intrusion detection systems protect 95 percent of an organization, “a penetration tester scans the whole environment” for vulnerabilities such as an exposed administrator password or a misconfigured firewall rule, says Art Gilliland, CEO of Skyport Systems.
“[Many companies] buy a bunch of technology, and they think they’re good,” says Gilliland. But most don’t have the right technology and “forget that security penetration comes at the seams, where technologies stitch together." Most are not as good at pulling together the people, processes, and technology integration as they need to be, he says.
Penetration testers highlight the people and process areas where you’re most vulnerable.
— Art Gilliland, Skyport Systems
Hiring a hacker to test your own penetration testing is the next must-do step to make sure your application is ready for prime time. Such external testing will improve your internal penetration testing, including patching systems, says Micah Zenko, a senior fellow at the Council on Foreign Relations who writes frequently about security. “[Hiring a hacker] will tell you which patches are most consequential and which you can prioritize.”
TechBeacon spoke with ethical hackers and their customers and came up with eight key tips for app sec success:
1. Dust off your Rolodex
Organizations such as (ISC)² and the SANS Institute provide training, the EC-Council offers a Certified Ethical Hacker accreditation, and a group of practitioners has even defined a penetration test execution standard. Many organizations rely on brand-name consulting firms, although they can be more expensive than smaller firms. But veterans say word of mouth and references from trusted peers are the surest ways to find skilled, and truly ethical, penetration testers. Certifications are not that important, because penetration testing is “an art form,” says Dan Berger, president of IT security assessment and consulting firm Red Spin, with factors such as curiosity, resourcefulness, and creativity more important than credentials.
2. Set your budget
External pen testing varies widely in price, depending on the size of the environment and the length of the engagement. Many firms offer “commoditized” engagements that last one week to ten days, cost $10,000 to $12,000, and include a number of attacks documented through screenshots and sample code, along with a prioritized remediation plan, says Zenko. At the high end, open-ended contracts to continually scan all parts of a major enterprise can range into the millions of dollars.
Leon Schumacher, a former CIO and co-founder and CEO of encryption vendor pEp Security, recommends a one-to-two-week effort that combines attacks from both outside and inside the company (such as from a contractor that has preferred access to your systems.) Gilliland says that if you don’t have budget or executive backing for proper security, a penetration test can be “an excellent way to free up budget if your executive team cares about security, and [the tester] gives you a roadmap of what to do to fix it."
3. Understand your environment to prioritize testing
“Asset discovery is probably the biggest key point," says Stephen Coty, chief security evangelist at security-as-a-service provider Alert Logic. “If you don’t know what you have, you don’t know what you’re vulnerable to.” He recommends regularly scanning your environment with automated tools to help you decide which systems are most critical and need the most testing.
4. Do what you can yourself
Even with a minimal budget, free or inexpensive open-source tools allow companies to do their own basic scanning and find obvious vulnerabilities, says Coty. These include the Kali Linux penetration testing toolkit, which includes tools that perform, among other things, network traffic analysis and scanning for SQL and WordPress vulnerabilities. Such tools are “not as adept as a pen tester with an auditor,” he says, but will give you an idea of your threat landscape. Taking a course on penetration testing can also help you judge an ethical hacker’s work, much as taking a course on car repair can help you judge a mechanic’s advice, says Tim O'Brien, director of threat research at cloud security automation platform vendor Palerra.
5. Scope your pen testing carefully
Wider-ranging, more aggressive pen testing can uncover more vulnerabilities, but costs more and increases the danger to critical applications and data. Some “companies artificially shrink the attack surface,” says Zenko, forbidding the “Red Team” to attack vendors that can be used as a wedge into corporate systems or to stage attacks at times when the customer lacks the staff to restore hacked systems. Such limits, he says, signal that senior management “does not want to hear the bad news." "Too often we tie the hands of our testers,” agrees Coty.
[Hackers] don’t have these rule they need to play by. They will go after you as often as they can and as hard as they can.
— Stephen Coty, Alert Logic
To reduce the threats to operational systems, Red Spin’s scanning software is automatically “throttled back” if it’s creating too much network traffic, says Berger. Another risk-reduction option is to limit testing to off-hours or to create test environments to attack.
Testing different parts of your infrastructure separately also makes it less likely you’ll be overwhelmed by all the test results, says O'Brien.
6. Choose among black-, white-, or gray-box tests
Black-box pen tests give the ethical hackers no information about your environment, white-box tests give them extensive inside information, and gray-box tests are, naturally, somewhere in the middle. Berger says most clients opt for white- or gray-box tests, because it’s so easy for hackers to find basic information (such as the IP range of the client's systems) that it doesn’t pay to have an ethical hacker do that work. Gray- or white-box testing can also be an opportunity for developers to work alongside the test team, learning not only know what to fix but how to prevent future vulnerabilities in their code.
7. Tap different skill sets
Gilliland hires multiple vendors “to test different parts of our system. Someone goes after the physical hardware, someone goes after the software stack, and someone tackles the business processes in the cloud,” he says. He also uses different testers for each round of tests. “Rotating through different vendors will find different weaknesses as they use different processes and attacks."
8. Act on the results
Most vendors will provide a prioritized, detailed list of attacks, explain how they were executed and the nature of each vulnerability (such as a software flaw versus a misconfigured or unpatched system), and prescribe a detailed remediation plan. Don’t even bother with penetration testing unless you have the budget and capacity to respond and fix problems, says Gilliland. “If you’re just doing it for a test, it’s a waste of money, unless it’s needed for compliance.”
Even then, too many companies treat penetration testing as a “check the box” compliance exercise, accepting superficial tests and not acting on the results. If you do, remember all those “compliant” companies that have suffered high-profile hacks that harmed their businesses.
Knowing the enemy
Done right, external penetration testing is a cost-effective way to see your systems through the eyes of your worst enemies—actual hackers. "If the good guys can do it, the bad guys can do it for sure," says Schumacher. "Everybody’s smarter if they knew what they were facing.”
Every one of us is getting a penetration test every minute [from real hackers.] We just don’t get the results.
— Tim O'Brien, Palerra
Image credit: Ryan McGuire