How delving into hacking has made me a better (more secure) programmer

It is a cat and mouse game between attackers and threat actors and security professionals is concerned. Threat actors and defenders are forever locked in a battle for one-upmanship. As defenders, it is a battle to keep our digital assets, infrastructure and information secure. As attackers, it is the next set of credentials, PII or secrets that you can leverage for your own personal gain. It is a never ending battle. With AI in our midst, the stakes have just been escalated, with each entity trying to leverage AI and automation to their best ability. It is yet uncertain which side is winning. How about using knowledge of both worlds to secure what we can: our applications?

It is well known that we may have the best, cutting-edge infrastructure and applications built on the latest, cool tech stacks and snazzy user interfaces and having colossal security products attempting to protect the data and assets. However, it takes just a tiny section of code, one vulnerability that we knowingly or unknowingly introduce, that can be the Achilles heel.

I have been a programmer for more than 15 years and I have seen the kind of mistakes that can be made, the impact that it can lead to and sometimes, how simple the solutions really were. This especially came to mind when I started delving into Ethical Hacking and trying to use tools like Burpsuite, Kali Linux in an attempt to break the barriers of the code written by me and my team. And the results were revealing. There were still security holes in the code and they were surprisingly not hard to find or fix.

This submission aims at utilising knowledge of offensive security skills as a way to know what mistakes we as programmers make while writing code, our oversights and what we ignore and what can come to bite us in the arse. Even though the domains of writing code for building products and security testing diverge to a great extent, there is no reason why we, as programmers, cannot utilise the best of offensive security testing tools to improve how we write code, do the basics right and improve our security at the application level. Additionally, I feel it is prudent to create a development and deployment framework where we can have multiple layers where security testing occurs, which can go a long way in reducing bugs going into a production environment.

Through the course of the session, I will attempt to go through my journey as a programmer by heart turned ethical hacker and how I attempted to improve security of the codebase through bugs found in my ethical hacking experiments. I will also touch upon a framework that we can implement across our development lifecycle for having security checks across different levels, in an attempt to keep our codebase secure.