Bloggo back to the blog
Software Testing and Ethical Hacking? By Adam Brown-->
I met up with an old Girlfriend of mine recently for dinner. We see each other regularly, and she mentioned that her parents often ask how I’m doing and what I’m up to these days. She said she often forgets exactly what I do and once told them that I was an “Ethical Hacker”. I didn’t disagree with her when she told me this as, for one, “Ethical hacker” may just be the coolest job title ever, and it doesn’t get the blank confused stares you usually get when you tell people you’re a “Software Tester”. Afterwards, it got me thinking… Are Software Testing and Ethical Hacking the same thing?”?
Let us first define what an “Ethical Hacker” is:
A white hat is the hero or good guy, especially in computing slang, where it refers to an ethical hacker or penetration tester
A penetration test, is a method of evaluating the security of a computer system from a malicious source. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses.
Going by these definitions, I suppose that to some extent, yes, I might just be an “Ethical Hacker of sorts“. Software Testers do analyse systems for potential vulnerabilities that could result from poor or improper system configuration. We also test for “both known and unknown hardware or software flaws, or operational weaknesses.”
On example that comes to mind, is that while testing an application recently, I tried using SQL injection in input fields on a web app. In this example, I knew that the value I entered into this field would be used as a parameter in an SQL query, so if my input string were to work its way into the query it could potentially delete my data. I knew the data behind it, so I entered a valid DELETE query into the field. The app caught it and returned and error straight away stating that the entered text was invalid. Obviously if this had have been run, it would have been raised as a defect with maximum severity and would have been a show stopping defect. So my malicious attempt at hacking the system was done with the best intentions.