Advertisment

Securing IoT is an emerging opportunity for ethical hackers

Ethical Hacking is improving your skills all the time. There was a time when knowing simple tricks were enough, but sadly, that's not the case any more

author-image
Soma Tah
New Update
ID

Bikash Barai

Advertisment

Bikash Barai (2)

Anyone even remotely interested in computing has dreamed of being a hacker at one point or another. The idea of being the super-smart, super-capable night owl who goes unnoticed and pulls off jaw-dropping feats tickles the bad guy in us all. For those who felt the calling strongly, Ethical Hacking proved to be a godsend. Suddenly you could spend hours trying to demolishing “secure” systems and were paid good money to do it!

This attracted—you guessed it!—competition and automation, to the point that Ethical Hacking today is vastly different from the game it used to be a decade back.

Advertisment

Here are some hot trends showing the winds of change in the world of Ethical Hacking.

Network Penetration Testing is dead

Well, it's not completely dead but it's on its way out. A decade years back there were countless organizations spending hundreds of thousands of dollars for conducting Network Penetration Testing and Ethical hacking. Today, however, automated Vulnerability Assessment is good enough for the management to put the same money on Application Security Testing. Only handful of organizations will spend money to do “real” Network Penetration Testing today.

Web and Mobile Application Security Testing is in

As per estimates, there are a couple billion mobile and Web apps out there, and less that 10% are being tested. Naturally, this is one of the fastest growing sectors in the security market.

Advertisment

Beware. Web and Mobile Testing is getting automated and commoditized

There are several players in the market who are automating Web and mobile app security testing to a high degree. As a result, prices are going down and quality is going up. So, sometime soon (5 to 10 years) Application Security Testing will meet the similar (if not the same) fate as that of Network Penetration Testing.

Gaining skills in deeper Business Logic Testing, Code Review, and Architecture Review is important

Since Application Security Testing is getting more and more automated, Ethical hackers should focus more on learning how to spot logical flaws and gaining domain knowledge. For example, automated testing will do a lousy job in detecting complex vulnerabilities which need extensive domain knowledge of, say, Banking.

Running scripts/tools is not enough. Understanding the design, code and logic is critical for career growth.

Running tools can take you only so far. To move beyond and become more successful you need to understand the code, the design and the logic. Ethical Hacking is improving your skills all the time. There was a time when knowing simple tricks were enough, but sadly, that's not the case any more. Today the maturity of most products and organizations is becoming faster. So acquiring deeper understanding is key for future growth.

Advertisment

Ethical hacking for Internet of Things (IoT) is an opportunity

The world is moving towards IoT. This year, during the Defcon Las Vegas (the world’s largest hacking conference), there were surprisingly many IoT products that got broken. This is a clear signal that IoT is going to face the next burnt. So here is the opportunity: learn how to break IoT devices.

Beyond technical vulnerability: Understand software security and vulnerability management programs

Technical knowledge is fine, but to move beyond and become more successful you need to understand how to manage things at a bigger scale. You'll need to learn how to build an organization that can effectively manage the testing and fixing. For that, you need to understand the elements of building a program, organization structure, stakeholders, KRA/KPI of the players in the act, how to measure success, how to build metrics/dashboards, and lot more. If you can learn the above you will surely move up.

You need to choose whether you want to stay technical and go deep or move into broader role and solve bigger (in size and not necessarily technical complexity) organizational challenges.

Advertisment

You can grow in both the paths but in India there are more opportunities in the techno-management ladder than a purely technical ladder as of now. “BSIMM” (Building Security In Maturity Model) is a great example for learning on how to build software security program.

Knowing how to break in is not good enough

Breaking looks awesome. It is sexy. But the glory is just for a short time. Preventive techniques (mostly) have a longer shelf life than breaking techniques. The future will have more opportunity for persons knowing both breaking and prevention. So you need to understand WAF, SIEM, Secure SDLC, etc., so that you can not only break apps but also improve security.

The author is CEO - iViZ 

security experts