Tuesday, January 23, 2007

Ethical Hacking

A common question I get from people is, "What do you like about QA?". Actually, it's also a common question I ask people during interviews, but I digress. It's a question I've thought about much during my time in the industry, and I have a few answers, but my favorite one is that I consider testing to be a form of ethical hacking.

Putting the negative connotations aside, hacking (in my opinion) is understanding a system so thoroughly that you can discover weaknesses to exploit in order to gain some sort of advantage. These advantages could be an escalation of privileges, using the system for ways not intended or devised, or simply disturbing the data in the system. Not to be too picky, but the actual term for this is "cracking". The idea of hacking extends well beyond computers, as many of you know I'm sure. Using the correct combination of coupons to get a good deal at Best Buy (as seen frequently on Techbargains) is using the system in a way that wasn't intended, and is a form of hacking.

Since hacking unfortunately already has negative connotations with it, I like to use the phrase "ethical hacking". As part of my job, I must understand a system well enough to exploit it. Truly there are an infinite number of combinations of actions that one can try to exploit a system. As members of a larger system, one must understand more than just the application under test. You must also have knowledge of the underlying operating system(s) it may be used on, any network protocols that may be in use, the pitfalls of the underlying architecture, the caveats of the language it was written in, etc., etc. It is the understanding of the external world housing the application that one must learn, and in that, there is so much to learn. Which keeps life interesting.

3 comments:

WG: said...

Hey: What about ethical hacking in other systems? As you put it, "understanding a system so thoroughly that you can discover weaknesses to exploit in order to gain some sort of advantage" could be applied to any system.

In government that understanding and exploitation might be . . . running for office. In medicine that understanding might be: Convincing a patient to have a procedure they really don't need. I like the description you lend to QA.

SearchForQuality said...

Ah ha, and as I say in the blog, "The idea of hacking extends well beyond computers, as many of you know I'm sure." Definitely the idea of hacking can extend into any realm.

Unknown said...

It is good term to say that the tester needs to do ethical hacking. In fact, there is a certification for Ethical hacking. One of my team member he completed this certification which seems to be helpful in looking at my security product in that prospective.
You can get more details in
http://www.eccouncil.org/CEH.htm.

Your blog has enriched with good information.