Software engineers are capable of building up complex applications to make our lives easier. Depending on how safe engineers develop these kinds of solutions, applications are exposed to cybercrime. If software engineers can build applications, that infers they understand how software works behind the scenes.
You might wonder: Does that mean they also know how to hack?
While it is possible software engineers could know how to hack as they have a good understanding of all the pieces that go into developing software, it doesn’t mean they know how to hack. In fact, you don’t need to be a software engineer to know how to hack.
A good question to ask yourself is: What do you know by term hacking?
In this article, we are going to talk about what the term “hacking” means, whether it is ethical to hack, understand the definition of ethical hacking, and find out if software engineers can become hackers, better yet ethical hackers.
Table of Contents
What is hacking?
There are two different definitions of hacking. The most common definition for hacking refers to the activity of identifying vulnerabilities to break into a computer, a phone, an application system, or a network.
Typically, hacking is associated with malicious activity such as being able to open the camera of someone else’s computer from your computer or any other device without the consent of the other person. However, that does mean all hacking is for illegal purposes.
As per the definition, hacking involves identifying vulnerabilities. It is up to the hacker, or person who hacks, to do whatever they want to once they identify those vulnerabilities. If you look at it in a different way, identifying deficiencies in a system opens room for improvement in the system to prevent malicious actors to exploit vulnerabilities to do cybercrime.
There is also another school of thought that considers hacking as the activity to make a computer do things. For instance, if you check the video below in which the hacker access unauthorized activity to someone else’s computer, you will notice he executes commands to make the computer do things like opening the camera and taking a picture, or opening the calculator of the computer.
The activity of executing commands on someone else’s computer sounds sketchy, the reality is that hacking in itself is the execution of these commands. It’s about getting a deeper understanding of how the system works and making a system do things if you tell it what to do without necessarily using the regular interface such as clicking the menu to open the browser, but using the terminal to execute commands that not all people know about.
Is it ethical to hack?
Having a simple answer to whether it is or not ethical to hack is not possible without saying it depends. It all comes down to what context the term hacking is applied. Hence, that’s the reason we explained what hacking means.
Since it has become a standard to think of hacking as an attempt to exploit a computer system or network to gain unauthorized access to do a malicious activity such as stealing data or blocking entire systems in exchange for monetary reasons, hacking is perceived as the whole opposite of what we understand by an ethical action.
After all, what do we know by ethics or ethical action?
Actions are not right or wrong themselves. For example, the act of stealing can be right or wrong. It is up to society to come up with standards describing what humans should or not do, which is what we understand by ethics. Since hacking is perceived as a malicious activity, it is generally considered unethical.
What is ethical hacking?
Not all hacking is unethical. In fact, there is a whole area of specialization around ethical hacking done by white hat hackers, which are considered the good hackers whose real intent is to do penetration testing or simulation of real vulnerability exploitation in computer systems and networks to help improve the system from black hat hackers or cybercriminal.
Having said that, ethical hacking is considered as an authorized practice of detecting vulnerabilities and bypassing system securities to identify threats, vulnerabilities, and data breaches in a computer system or network.
Companies invest in cyber security engineers to perform a hypothetically malicious activity to test the system defenses. Contrary to malicious hacking, this practice is accepted and planned.
Can software engineers become hackers?
Software engineers have skills they can use to become hackers, but it doesn’t make them hackers. The first thing we should look at is the primary goal of both, a software engineer and a hacker.
Software engineers’ main goal is to solve problems. That’s why many experienced engineers talk about problem-solving skills as the most important a software engineer should target to master. On the other hand, hackers’ main goal is to detect and find problems up to the point that it feels like they are creating problems that software engineers didn’t see coming when developing and testing software.
Therefore, software engineers interested in becoming hackers will need to be comfortable changing their main objective. The good part is whether being an engineer or a hacker, both require technical skills that can be interchangeable to do one job or the other.
However, software engineers are programmers, and hackers are not necessary but it is ideal if they have programming skills. While hackers can break into programs, databases, passwords, there is a good emphasis on networking knowledge as it not only allows them to be in the same network as their victims but also helps them remains anonymous.
One example for hackers to remain anonymous is to use browsers like Tor and VPNs to mask their location, or even use multiple proxy servers. The idea behind this is to hide their IP address as the IP address serves as your computer or phone personal identification. While software engineers might have heard and used networking concepts, it requires them to have a higher understanding level of the topic.
Hackers generally have a passion for understanding how things work. They are curious to understand how systems work from the root level, which often encourages them to not only find information about the systems but also run creative experiments. Software engineers have similar traits, which makes the transition to becoming hackers much easier.
Software engineers should understand their computer systems’ vulnerabilities
Do you know how many software engineers are in the world? According to Evans Data Corporation Data’s Global Developer Population and Demographic Study, there are 26.9 million software developers worldwide.
One good question to ask is how many of those are above-average engineers striving to make applications safer?
Most likely that number will be much smaller.
There is a reason why there is constant news about data breaches, hackers detecting backdoors to access programs with authorized permissions, and many other security flows. This happens because software engineers lack the knowledge to understand their computer systems’ vulnerabilities as they are not aware of them.
Typically, above-average engineers are concerned about considering security flaws at the moment of architecting and developing solutions but also look for ways to penetration tests to find the vulnerabilities of their own system. While software can have a large number of vulnerabilities, engineers should pay special attention to checking key security flaws such as the following:
- Injection attacks
- Lack of proper Logging and Monitoring
- Flaws in the Authentication System
- Changes in security settings
- Cross-Site Scripting (XSS) Deficiencies
- Sensitive data exposure
- Components used in the system or network that may be used as access points
- Using Components with Known Vulnerabilities
Can a software engineer prevent against hacking?
While software engineers can do everything they can to make a system more secure, it is not possible for them to prevent hacking. Software is built by multiple components and there is always a chance of having deficiencies among any of those components.
In fact, there are vulnerabilities that can’t be prevented such as having a user getting their password hacked. In this case, if the user uses common passwords that are easy to crack using tools like John the Ripper password cracker, or other scenarios such as when users leave their passwords written in a sticky note in from of their computer and someone can easily get access to their accounts.
Software engineers cannot change the way users write their passwords or where they save them. However, they can establish stricter authentication mechanisms to make access to a system more difficult such as enforcing a minimum password of 8 characters containing at least an uppercase letter, a lowercase letter, a number, and a special character.
In the case the password is hacked, other mechanisms can be placed in effect on top of enforcing the user to type stronger and harder to crack passwords. A common practice is to configure the system to enforce fingerprint authentication, multi-factor authentication, facial recognition authentication, among other techniques.
Applying more secure protocols and mechanisms in place by no means guarantees hackers not gaining unauthorized access to a user’s account. However, it is harder for a hacker to go through multiple walls of protection than only one.
Now, if you think about the example of making authentication a much safer process, there are benefits and disadvantages of constantly applying multiple levels of security to every component of the software.
A possible disadvantage of having multiple layers of authentication is that it makes the software less practical or easier to access as the user now needs to go through a multi-step process just to log it.
Another disadvantage is to think about the development costs involved when adding more time is spent on making software safer. While in an ideal world, software vendors should strive to make their software safer and give customers peace of mind, the reality is business decisions tend to be driven by how much profit they can make off of a product.
Knowing about the infinite possible vulnerabilities a system can, software engineers aim to focus their attention to limit vulnerabilities to key aspects that play an important role in not only the software but also the business such as having data breaches that can put in hack a whole organization’s reputation.
What are some tools used for penetration testing?
There are common tools ethical or white hackers use to do penetration testing, which software engineers can take advantage of to test how secure their solutions are architectured and developed in from of intruders. Some of the most popular tools used for penetration testing are:
- Wireshark: It is a network protocol analyzer that lets you see what’s happening on your network as well as assessing traffic for vulnerabilities in real time.
- Kali Linux: It is a popular and free operative system with over 600 atooles for penetration testing and security analytics.
- Burp Suite: It is a proxy-based tool to intercept requests widely used for penetrationg testing such enabling to modify parts of a request such as the body.
- Sqlmap: It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
- John The Ripper Password Cracker: It is a free password cracking software tool used to identifiy weak passwords and poor password policies.
- Zed Attack Proxy (ZAP): It is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
- Nmap: It is a port scanner which is used to discover hosts and services on a computer network.
All in all, software engineers don’t necessarily mean they know how to hack. However, they have skills that are useful to become hackers. Making a transition from software engineer to hacker means making a transition in the mindset. Going from solving problems to creating problems can be challenging at first.
Knowing about the computer or network system’s vulnerabilities makes software engineers more aware about making their solution safer, which they can leverage penetration tools to identify weaknesses that a system is exposed to.
What did you think about this article?