What Is Ethical Hacking and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AI-generated code | Harness the power of AI coding assistants while managing the risks.
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Program Consolidation | Simplify your application security program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage Enterprise AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud.
Open Source License Compliance | Effective solutions for ensuring open source license compliance.
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality and Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators.

Static Analysis (SAST) | Analyzing code for security vulnerabilities without executing it.
Software Composition Analysis (SCA) | Analyzing software components for security and license compliance.
Dynamic Analysis (DAST) | Testing running applications for security vulnerabilities.
Interactive Analysis (IAST) | Real-time security testing during application execution.
Penetration Testing | Simulated cyberattacks to identify vulnerabilities.
Mobile Application Security Testing (MAST) | Ensuring the security of mobile applications.
Application Security Posture Management (ASPM) | Managing and improving application security posture.
Fuzz Testing Solutions | Identifying vulnerabilities by inputting random data to applications.

Automotive | Security solutions for automotive industry applications.
Financial Services | Security solutions tailored for financial services.
IoT & Embedded | Security for Internet of Things and embedded systems.
Medical Devices | Security solutions for medical devices.
Public Sector | Security solutions for government and public sector organizations.

Dev and DevOps Teams | Security tools and practices for development and DevOps teams.
Security Teams | Solutions and support for dedicated security teams.
Legal Teams | Resources and compliance tools for legal teams.

Table of Contents

What are the key concepts of ethical hacking?
How are ethical hackers different from malicious hackers?
What are the skills and certifications for ethical hacking?
What problems does ethical hacking identify?
What are some limitations of ethical hacking?
How does Black Duck manage ethical hacking?

Definition

Ethical hacking is an authorized attempt to gain unauthorized access to a computer system, application, or data using the strategies and actions of malicious attackers. This practice helps identify security vulnerabilities that can then be resolved before a malicious attacker has the opportunity to exploit them.

Ethical hackers are security experts who perform these proactive security assessments to help improve an organization’s security posture. With prior approval from the organization or owner of an IT asset, the mission of an ethical hacker is the opposite of malicious hacking.

Penetration Testing: A Buyer's Guide

This guide details the benefits of pen testing, what to look for in a pen testing solution, and questions to ask potential vendors.

Download the guide

What are the key concepts of ethical hacking?

Hacking experts follow four key protocol concepts.

Stay legal. Obtain proper approval before accessing and performing a security assessment.
Define the scope. Determine the scope of the assessment so that the ethical hacker’s work remains legal and within the organization’s approved boundaries.
Disclose the findings. Notify the organization of all vulnerabilities discovered during the assessment, and provide remediation advice for resolving these vulnerabilities.
Respect data sensitivity. Depending on the data sensitivity, ethical hackers may have to agree to a nondisclosure agreement, in addition to other terms and conditions required by the assessed organization.

How are ethical hackers different than malicious hackers?

Ethical hackers use their knowledge and skills to secure and improve the technology of organizations. They provide an essential service by looking for vulnerabilities that can lead to a security breach, and they report the identified vulnerabilities to the organization. Additionally, they provide remediation advice. In many cases, ethical hackers also perform a retest to ensure the vulnerabilities are fully resolved.

The goal of malicious hackers is to gain unauthorized access to a resource (the more sensitive the better) for financial gain or personal recognition. Some malicious hackers deface websites or crash back-end servers for fun, reputation damage, or to cause financial loss. The methods used and vulnerabilities found remain unreported. They aren’t concerned with improving the organizations security posture.

What are the skills and certifications for ethical hacking?

An ethical hacker should have a wide range of computer skills. They often specialize, becoming subject matter experts on a particular area within the ethical hacking domain.

All ethical hackers should have

Expertise in scripting languages
Proficiency in operating systems
A thorough knowledge of networking
A solid foundation in the principles of information security

Some of the most well-known and acquired certifications include

What problems does ethical hacking identify?

Ethical hacking aims to mimic an actual attack to look for attack vectors against the target. The initial goal is to perform reconnaissance, gaining as much information as possible.

Once an ethical hacker gathers enough information, they use it to look for vulnerabilities. They perform this assessment using a combination of automated and manual testing. Even sophisticated systems can have complex countermeasure technologies that may be vulnerable.

In addition to uncovering vulnerabilities, ethical hackers use exploits against the vulnerabilities to prove how a malicious attacker could exploit it.

Some of the most common vulnerabilities discovered by ethical hackers include

Injection attacks
Broken authentication and authorization
Security misconfigurations
Business logic vulnerabilities
Use of components with known vulnerabilities
Sensitive data exposure
Vulnerability chaining

After the testing period, ethical hackers prepare a detailed report that includes additional details on the discovered vulnerabilities along with steps to patch or mitigate them.

What are some limitations of ethical hacking?

Scope. Ethical hackers cannot progress beyond a defined scope to make an attack successful. However, it’s not unreasonable to discuss out-of-scope attack potential with the organization.
Resources. Malicious hackers don’t have time constraints that ethical hackers often face. Computing power and budget are additional constraints of ethical hackers.
Methods. Some organizations ask experts to avoid test cases that lead the servers to crash (e.g., denial-of-service attacks).

How does Black Duck manage ethical hacking?

Black Duck offers managed penetration testing, also known as pen tests, for web applications and services. This security testing technique simulates a real-world attack on a system to identify vulnerabilities and weaknesses in systems and code. Using a blend of manual and tool-based testing, Black Duck managed penetration testing services provides a comprehensive assessment of a runtime environment with accurate results and actionable remediation guidance.

By opting for a managed penetration testing service provider, companies get access to security testing experts who can help them understand their security risks, meet compliance requirements, and enable in-house security teams to focus on other objectives.

- This glossary was verified by Chai Bhat.