In this Help Net Security interview, Balázs Pózner, CEO of Piracy ratediscusses the essential technical skills of ethical hackers and how they vary across different security domains. He explains how AI and machine learning improve ethical hacking by streamlining vulnerability detection and strengthening defenses.
Pózner also discusses legal challenges and highlights the role of community testing and user education in improving cybersecurity tools.
What are the most critical technical skills an ethical hacker should possess, and how do these vary depending on security domain?
Curiosity and perseverance are the most important qualities for an ethical hacker. The world of technology is evolving rapidly, and continuous learning and improvement is essential. While it is impossible to master all technologies, having developer skills can be a significant advantage. Understanding how applications are built and being able to develop them provides insight into potential vulnerabilities.
A professional and ethical hacker must have a thorough understanding of various computer systems, networks and protocols – essentially, in-depth “under the hood” knowledge. This fundamental expertise allows them to effectively navigate different environments. Additionally, target-specific knowledge is crucial, as security measures and vulnerabilities can vary significantly depending on the technology stack used.
Specialization can be beneficial, but it also poses a risk. Pentesters must balance their expertise to avoid focusing too narrowly. However, on bug bounty platforms, success can be achieved even without in-depth technical knowledge. Diverse perspectives often lead to the discovery of unique vulnerabilities, and many bug bounty hunters focus on specific vulnerabilities, such as IDEUR (Insecure Direct Object References).
In my experience, ethical hackers who continually update their skills and knowledge tend to be more successful. For example, understanding the latest trends in IoT devices can open up new opportunities to identify vulnerabilities that others might overlook. This adaptability is crucial in our field.
What are some common challenges that ethical hackers face, especially when working within organizational constraints or legal boundaries? How do they manage to deal with the complexities of different laws and regulations?
Ethical hackers must have a thorough understanding of regulationsbecause legal boundaries can vary considerably. Bug bounty platforms provide a safer environment for ethical hackers by providing clear guidelines and legal protections. However, navigating complex legal landscapes remains a challenge, particularly for pentesters.
Ethical hackers often receive requests from customers or sales teams to perform unauthorized hacks, sometimes under the mistaken impression that this is part of the pre-sales process. It is crucial to reject such requests in order to maintain ethical standards and legal compliance. Clear communication and strict adherence to ethical guidelines are essential to effectively address these challenges.
How can AI and machine learning be integrated into ethical hacking products, and what unique benefits do they offer?
AI and machine learning can significantly improve ethical hacking efforts. On the offensive side, automated processes supported by AI can effectively identify vulnerabilities and suggest areas for additional manual security testing. This streamlines the initial phases of penetration testing and helps uncover potential problems more effectively. Additionally, AI can help generate detailed reports on penetration testing, saving time and ensuring accuracy.
On the defensive side, AI and machine learning are invaluable for detecting anomalies and correlating data to identify potential threats. These technologies enable a proactive approach to cybersecurity, enhancing offensive and defensive strategies. By using AI and machine learning, ethical hackers can improve their effectiveness.
We are working to integrate AI into our HackGATE tool to automate the initial vulnerability scanning process. This not only speeds up the testing phase, but also allows our ethical hackers to focus on more complex security issues. For example, AI can help prioritize vulnerabilities based on their potential impact, allowing our team to respond to the most critical threats first.
What role do you see community testing (e.g. crowdsourced or open source contributions) playing in the development and quality assurance of ethical hacking products?
Open source contributions play a crucial role in the development of ethical hacking products. An interesting perspective was shared by Jason Haddix in his DEF CON keynote, where he mentioned that major security vendors, such as web application firewall providers, collect payloads used by major ethical hackers . While this practice can be considered a form of intellectual property theft, it also contributes to the development of more effective security products.
Crowdsourced security testing brings diverse perspectives and approaches to the testing process, increasing the likelihood of identifying software bugs. This collaborative approach, combined with traditional testing methods, ensures a more secure product and leads to higher quality results.
Ethical hacking products require expertise. What role does user training play in your product strategy and how do you support users in mastering your tools?
User training is a key part of our product strategy. We prioritize creating a user-friendly interface that helps users of all levels of technical expertise. Additionally, we provide extensive documentation for those who prefer self-guided learning.
We also offer personalized integration sessions and individual meetings to provide tailored support. This close interaction is highly valued in the cybersecurity market, where personalized support can significantly improve the customer experience and build trust in our product. Additionally, we implement industry standard best practices and maintain multiple support channels to ensure users have the appropriate resources.
When I speak with our customers, I emphasize the importance of ongoing support. For example, during an onboarding session with a new client, we supported them throughout the process. This personalized approach not only helped them get up to speed quickly, but also established a foundation of trust and long-term partnership.