Coaches of sports teams would relish the chance to know their opponents' offensive playbook, so that they can prepare the right defensive schemes. Debate experts say you should understand your opponent’s position before you attempt to refute it. You should also consider the ways your opponent may attack your argument and how you’ll defend it. The same principles are true in software and app development. Developers are often encouraged to think like hackers to find and fix vulnerabilities before any real hackers have the chance to exploit them.
Security advisor Roger A. Grimes writes that “true security pros,” including TSA and loss prevention employees in retail, are always hacking systems, at least mentally.
“They have the mindset to automatically think of ways to break into almost any system they come across,” he writes. “By looking at systems through the eyes of a hacker, you can better identify weaknesses and create defenses. The best anti-hackers are hackers themselves.”
Offensive vs. Defensive Security
Hacking is a key part of offensive security, which differs from defensive security in a couple of key ways.
Defensive security is reactive. It involves preventing attacks, but also finding and responding to breaches when they occur. Offensive security is proactive and uses penetration testing, also known as ethical hacking. In penetration testing, developers simulate a hack on a system to see first, if they can hack it, and secondly, what happens if they do.
The more creative teams are in penetration testing, the more ways they can imagine to bypass existing defenses—and the less likely it is that a real hacker will be able to outwit their app.
How to Learn to Think Like a Hacker
There are several classes on ethical hacking available, including many online platforms that allow students to learn remotely. This is particularly ideal right now, as COVID-19 poses a barrier to traditional in-person education. Some courses also offer certifications, which is a great incentive for developers looking to bolster their resumes.
One of the easiest ways for developers to begin thinking like hackers is to practice—legally, of course. There are several “war games” developers can play that test their hacking skills using real servers. They include Hack This Site, Smash The Stack, and the portal We Chall, which offers a variety of challenges. Additionally, Google’s Gruyere is an app that’s full of holes just waiting for you to find them. The codelab allows for both white box (you have access to system information) and black box (you don’t) hacking, and challenges are tagged according to which is required to complete them. Those who find themselves particularly good at this sort of thing may also enter contests for prizes or glory. Facebook’s Hacker Cup awards $20,000 to the first place winner.
Lessons Beyond Hacking
But thinking like a hacker doesn’t just mean constantly searching for ways to subvert systems. We can learn other lessons from them, too. Hackers are often self-taught, scrappy, curious, creative, willing to think outside the box, and enthusiastic about their chosen profession or hobby—even though it may not be a legal one. Those aren’t bad qualities for a developer either.
Asking questions about current protocols is key to innovation. Companies should foster a workplace that encourages curiosity and asking “why” and “what if” questions.
Additionally, giving developers the freedom to have fun and try new things can be beneficial and boost morale, especially if that occurs within their typical workday and doesn’t feel like a burden. Companies can set aside time for these educational opportunities or even create their own team-building hacking games and challenges.