Why every Tester should learn Ethical Hacking
Several years ago I did a course on Ethical Hacking. I was the only person there with a background in Quality Assurance (QA). There were no other testers, only individuals from the Security fields. The instructor even told me that I’m a rarity as most people from my profession don’t bother learning Ethical Hacking. This seemed strange to me. Especially as they were using terminology that I was familiar with such as "security testing", "bug hunting" and "automated testing". I picked up the concepts and techniques quickly. It felt to me like just another arm of testing. Taking my security testing skills to the next level.
Recently I decided to take some time away from paid work to focus on building up my Ethical Hacking skills. You can read more about how that’s going in another article I wrote here. In that article I spoke about how it feels like you’ve gone back to University, only this time around you are going deeper into the technologies, tools and techniques. Plus with the use of gamification it doesn’t feel like you are learning, you are just doing research to aid you in your quest to hack the next box or to solve a puzzle.
About 6-months into my self-training time I was asked to step-back into my QA shoes and to test an API. Previously I would jump straight into using UI-based tools such as Swagger, SoapUI, JMeter or Postman and point them at the API building up a picture of how it works creating a set of test cases along the way matched to a set of requirements. This time around I found myself using Curl from the command-line combined with other API Ethical Hacking tools and exploratory testing techniques to map out the API looking for weaknesses or bugs I could exploit. It was a completely different mindset and approach. I wasn’t just looking for bugs where the implementation had failed to meet the design. I was also looking for security flaws. The only UI I used was Burp Suite and that’s only because I find the Repeater and Decoder features work faster than my command-line typing. The tests I created were scripted and coded. The time it took to figure out the API (without any documentation or help from the developer) was also much much faster.
Many years ago when I first started out on my QA career path I started offering "Security Testing" services. These built-up over time but generally consisted of various attempts to bypass authorization and authentication features with techniques such as fuzzing and brute-forcing. With Ethical Hacking, the more you learn the more you realise that there is more still to learn. The Cyber Security field is massive. It encompasses the whole of the IT industry. Ethical Hacking can be applied to every IT system, its operating systems, databases, applications and the IT infrastructure that holds it all together and the networks in-between. The point is you will never learn everything, but everything that you do learn adds to what you can offer.
The more time you spend learning Ethical Hacking tools and techniques, the broader your knowledge gets in both terms of Ethical Hacking skills and knowledge of IT. You will find that you dig deeper into protocols, software code, configuration files and deployment instructions. Your Linux command skills will increase, as will your knowledge of popular applications and their configuration. You will probably learn Python and feel more comfortable writing your own scripts to test and exploit weaknesses. Your lexicon of acronyms will also increase, as will your ability to recall HTTP response codes and popular port assignments.
When you return to your QA role you may find that you don’t want to be pigeon-holed as the Tester that sits separate from the development team. You may prefer to work alongside the development team. You may want access to their code repository so that you can look at the code and each PR looking for bugs and security vulnerabilities. You may even wish to develop your tools and scripts alongside their code (possibly in a separate repo). You may also find that you do not wish to just use traditional QA tools in your role, but to also use Ethical Hacking tools. Note here that you may require special permission from your client in order to be able to use Ethical Hacking tools and a separate section covering this may be needed with your Test Strategy. But once you have such permissions you may find yourself in a position to offer a greater set of skills to your clients. At the very least your IT knowledge will have increased and your security testing skills will have increased massively. You may not be referring to yourself as a Penetration Tester but your skill-set may not be that far off. Plus if your client routinely makes us of the services of a Penetration Testing organisation it would be interesting to see how many security issues they actually find following your testing.
In summary, I believe that every Quality Assurance Tester passionate about their craft should spend time learning Ethical Hacking. You’ll find that at the very least it rounds-out your security testing skills. Even if you just focus on learning how to test the OWASP Top Ten. However, you may just find that, like me, you enjoy it a lot and the more you learn the more you want to learn.
Good look and stay safe!
Dave
If you have any issues, suggestions or feedback for this article please email me.
Did you enjoy this article or find the information useful? Help keep Dave and his articles online by keeping him fed with coffee by clicking the link below. Cheers!
Last updated: 21st March 2022
