Ask any developer if he has ever hacked. Ask yourself if you ever been a hacker. The answers will probably be yes.We have all hacked, at one time or another, for one reason or another. Administrators hack to find shortcuts around configuration obstacles. Security professionals attempt to wiggle their way into an application/database through  nintentional (or even intentional) backdoors; they may even attempt to bring systems down in various ways. Security professionals hack into networks and applications because they are asked to; they are asked to find any weakness
that they can and then disclose them to their employers.They are performing ethical hacking in which they have agreed to disclose all findings back to the employer, and they may have signed nondisclosure agreements to verify that they will NOT disclose this information to anyone else. But you don’t have to be a hired security professional to
perform ethical hacking. Ethical hacking occurs anytime you are “testing the limits” of the code you have written or the code that has been written by a co-worker. Ethical hacking is done in an attempt to prevent malicious attacks from being successful.

Malicious hacking, on the other hand, is completed with no intention of disclosing weaknesses that have been discovered and are exploitable. Malicious hackers are more likely to exploit a weakness than they are to report the weakness to the necessary people, thus avoiding having a patch/fix created for the weakness.Their intrusions could lead to theft, a DDoS attack, defacing of a Web site, or any of the other attack forms that are listed throughout this chapter. Simply put, malicious hacking is done with the intent to cause harm. Somewhere in between the definition of an ethical hacker and a malicious hacker lies the argument of legal issues concerning any form of hacking. Is it ever truly okay for someone to scan your ports or poke around in some manner in search of an exploitable weakness? Whether the intent is to report the findings or to exploit them., if a company hasn’t directly requested attempts at an intrusion, then the “assistance” is unwelcome.

Working with Security Professionals

The latest trend in protection against an attack by an unsolicited hacker is to have a security professional on staff.This practice is sometimes referred to as “hiring a hacker,” and to management, it may appear to be a drastic defense against potential attacks. It is a perfectly logical and intelligent solution to an ever-growing problem in Web  application development. Security professionals may be brought on as full-time employees, but oftentimes they are contracted to perform security audits, return results to the appropriate personnel, and make suggestions for improving the current security situation. In larger organizations, a security expert is more likely to be hired as a full-time employee, remaining on staff within the IT department.

A security professional is familiar with the methods used by hackers to attack both networks and Web applications. A security professional should offer the ability to not only detect where an attack may occur, but he should also be able to assist in the development of a security plan.Whether that means introducing security-focused code reviews to the development process, having the developers learn the strategies most often employed by hackers, or even simply tightening up existing holes within applications, the end result will ultimately be better security.Of course, along with this proactive decision comes a security risk. How can you be sure that the tools you put in this employee’s hands will be used properly, and that the results of their investigations will be handled properly?