What is ethical hacking?

Ethical hacking is a broad term covering all sorts of authorized attempts to find security vulnerabilities in computer systems. Penetration testing is one form of ethical hacking. This post talks about ethical hackers and shows why ethical hacking is the foundation of modern cybersecurity – and especially web application security.

What is ethical hacking?

Who are ethical hackers?

Let’s start with a reminder that (despite common usage) “hacker” is a neutral term, not a negative one. In cybersecurity, a hacker is someone who enjoys the challenges of exploring, probing, and penetrating computer systems. Hackers have a broad understanding of the underlying technologies and processes in information security and instinctively focus on finding security gaps. Some extend this knowledge to exploiting human nature – the weakest link in any security system – through social engineering techniques.

When applied to safely finding and reporting security vulnerabilities so they can be fixed, these skills all make up ethical hacking. Ethical hackers (also called white-hat hackers) focus on making systems more secure by exposing existing weaknesses before cybercriminals can exploit them. Crucially, white-hats are always authorized to perform security testing (or rather they should be – more on that later).

This is in contrast to black-hat hackers, who apply the hacking mindset with malicious intent. Malicious hackers perform unauthorized security testing to find security gaps and execute cyberattacks for their own benefit and financial gain: to extract sensitive information, compromise user accounts, perform denial of service, or deploy malware such as ransomware or web shells. In the media, you will often hear people using the term “hacker” only in the context of cybercrime.

Is ethical hacking the same as penetration testing?

Penetration testing is one of many ethical hacking methodologies. Penetration testers are security professionals who are hired to work within the defined scope and time frame of a pentest to identify and exploit as many vulnerabilities as they can, providing a realistic picture of the current security level of the system under test. The job of a penetration tester is to find gaps, exploit them like a real attacker would, report vulnerabilities, and recommend countermeasures.

In recent years, the word “hacker” is also used by bug bounty platforms to refer specifically to bounty hunters – ethical hackers who report security vulnerabilities for money. While bounty hunters are similar to pentesters in that they are authorized to look for entry points into the systems being tested, penetration tests have a strictly defined scope and tend to be more comprehensive. Bounty hunters, on the other hand, are free to choose their own targets and may focus on exploring more profitable vulnerabilities rather than finding everything they can.

Is ethical hacking always legal?

Legality has always been a controversial topic for ethical hacking. While this varies depending on the jurisdiction, all unauthorized attempts to probe system security can be considered illegal activity, even if they are made in good faith. Especially in the early days of cybersecurity, this posed a huge problem for ethical hackers, as they could face criminal charges just for reporting that a computer system is unsafe.

Today, many companies follow a policy of responsible disclosure, making it legal for ethical hackers to report any vulnerabilities they may find in company systems on the condition that they don’t disclose this information publicly. In theory, the company should then inform the public about such issues once they have been fixed, though this varies widely in practice. Many companies now also run bug bounty programs that invite ethical hackers to freely investigate the security of an organization’s systems within a specified scope.

One general rule still holds, though: security testing is not a game, and running unauthorized security tests or gaining unauthorized access on systems you don’t own is usually illegal. This applies especially to automated scans since tools such as port scanners and vulnerability scanners generate network traffic that could potentially affect regular operations and may be interpreted as an attack attempt. So before you launch any vulnerability scan, ensure you are authorized to test the site, application, or system you are targeting. In Invicti, for example, it is impossible to scan a site for vulnerabilities without verifying that you have legitimate access to it.

To clarify the legal situation further, ethical hacking certifications and assessments are now available. While opinions vary as to the value of such certificates, some organizations (especially in government and regulated industries) may allow only certified ethical hackers to perform security testing on their systems.

What tools are used for ethical hacking?

Security testing in general relies on using all the same tools and methods as real-life attackers might use – with the good guys’ usual limitation of avoiding or at least minimizing fallout. Ethical hacking tools include both automated scanners (such as Nmap for port scanning) and a variety of manual tools for analyzing network traffic, crafting packets and requests, building attack payloads, and many more. Similarly, ethical hacking techniques need to include all the tricks that attackers might use, though stopping short of actions that could have a negative impact on production systems.

For web security testing, vulnerability scanners are a common tool on both sides of the barricade. While they started life as relatively simple automation utilities, leading modern scanners now include thousands of security checks and can be highly accurate – some can even automatically exploit vulnerabilities to confirm that they are real. This completely changes the dynamics of web application security by allowing organizations to build regular security testing into their routine workflows without always having to wait for test results from a dedicated security team or external security testing.

Especially in large and fast-moving application environments, a quality DAST solution is essential to identify URLs for testing and automatically find many common vulnerabilities on an enterprise scale, including SQL injection, cross-site scripting (XSS), and local file inclusion. By integrating an advanced vulnerability scanner into their development and testing workflows, organizations can take care of the low-hanging fruit internally before calling in the security experts. Penetration testers and bounty hunters can then focus their efforts on more advanced attacks and business logic vulnerabilities that truly require their ethical hacking skills.

Ethical hacking in web application security

Regardless of specific technologies or market segments, ethical hacking is the common foundation of the entire cybersecurity industry. Especially in the dynamic security testing space, the ultimate goal is to find and close security gaps before attackers can exploit them. A few decades ago, IT security was all about network security, with security experts focused on protecting computer networks and operating systems from intruders using firewalls and other perimeter defense solutions. As more and more software (along with sensitive data) moves to increasingly complex cloud environments, bringing the hacker mindset to web security has become crucial for protecting information systems from cyber threats and preventing data breaches.

We often think about manual and automated security testing as two completely separate approaches, but in reality, they are two sides of the same coin. After all, vulnerability scanners and other security tools don’t write themselves. Invicti was created by a penetration tester and is being constantly improved by a team of security researchers – all ethical hackers working to automate web application security testing and help the good guys stay ahead of the bad guys. We also contribute directly to the cybersecurity community by reporting vulnerabilities in open-source web applications under the Invicti advisory program.

Whether they are running penetration tests, red teaming, seeking out bug bounties, or building web vulnerability scanners, ethical hackers are the backbone of web application security – and Invicti is proud to be a part of that community.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.