The Case for Teaching Engineers How to Hack
Around the turn of the century at Microsoft, everyone in engineering was delivered a copy of the “Writing Secure Code” book. It’s been out-of-print since the second edition, and a lot of the material would look very dated in today’s secure-coding landscape. But, as the cover of the book says, it truly was “required reading at Microsoft”, and for me at the time it was very eye-opening. With some basic knowledge of how to hack poorly-written web sites, I was able to level up my own code and reviews from that point forward in my career. Indeed, it’s hard for me to imagine how to develop a secure application without recognizing common vulnerabilities and how to test for and prevent them.
In today's digital world where cybersecurity threats are prevalent, it has become crucial for software engineers to have a basic understanding of hacking techniques.
While the term "hacking" may carry negative connotations especially in the enterprise, learning about common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection can empower engineers to write more secure code and build resilient applications. Let’s take a look at why software leaders should encourage teaching these techniques to engineers and how it can benefit their organization’s software products.
Enhancing Security Awareness
By learning about hacking techniques, engineers gain a deeper understanding of how vulnerabilities can be exploited. This knowledge helps them develop a security-focused mindset and recognize potential weaknesses in their own code. It enables them to adopt defensive coding practices, anticipate attack vectors, and implement robust security measures throughout the software development lifecycle.
Building Secure Applications
Knowing the tactics used by hackers allows engineers to proactively protect their applications. By identifying and understanding common vulnerabilities like the OWASP Top 10, software engineers can implement appropriate input validation, data sanitization, proper authentication and authorization, and secure coding patterns. This helps prevent malicious users from exploiting vulnerabilities and compromising the organization’s sensitive data.
Improving Code Reviews
Understanding hacking techniques enables engineers to conduct more effective code reviews. By recognizing potential security faux pas, they can identify vulnerable code sections, suggest improvements, and ensure compliance with best practices. This knowledge also helps in assessing the security posture of vendor and open-source libraries and components used in software projects.
Collaboration with Security Teams
In organizations with dedicated security teams, developers who are familiar with hacking techniques can communicate more effectively with security engineers. They can engage in more productive discussions, understand vulnerability reports, and implement recommended fixes efficiently. This collaboration fosters a culture of security awareness and facilitates smoother coordination between development and security teams.
Understanding the Attacker's Perspective
By familiarizing themselves with hacking techniques, software engineers gain insight into the mindset of potential attackers. This understanding enables them to anticipate and defend against real-world threats effectively.
But…?
You might fear that teaching hacking techniques widely throughout an enterprise will turn your engineers into budding cybercriminals. On the contrary, learning about hacking techniques empowers developers to build secure software, understand potential vulnerabilities, and collaborate effectively with security teams. It does not transform them into hackers but rather equips them with the knowledge and skills necessary to enhance security practices and defend the organization’s assets.
Of course, it’s important to emphasize that learning about hacking techniques is intended for ethical and responsible use. Software engineers should understand the ethical boundaries and legal implications associated with hacking.
How?
Say you’re convinced of the benefits of teaching basic hacking techniques to your software engineers, but your organization doesn’t have the expertise in-house to orchestrate this kind of training effort. Fortunately, there are a lot of resources available to help you out, beyond the tried-and-true approach of hiring a consultant.
One of the more amazing platforms I’ve seen is Secure Code Warrior, which supports interactive, gamified learning (not to mention a beautiful user experience) and can be customized to cover the platforms and tools your engineers use to build systems.
Go For It
Teaching engineers how to hack ethically and responsibly equips them with the knowledge and skills to enhance security practices, build secure applications, and collaborate effectively with security teams, and does not transform them into hackers but rather strengthens their defense against real-world threats.