Yes, they can, but not without specific training in security exploits and the associated tools to hack a live system.
There is a common misconception that all software engineers can hack servers or websites. Many software engineering jobs only require engineers to design simple data flow functionality from the user to a database via a website.
Some frameworks and libraries help the software engineer at each place, i.e. front-end or back-end work. So the average software engineer won’t often use the required skill set to hack a system.
Software engineers who can also hack need to know the specifics of these libraries or frameworks and detailed knowledge of how common technology is built, e.g. HTTP/HTTPS, SSL and SQL.
Knowing how data is sanitised before being saved to a database or how cookies work on websites is only one part of the equation. Most software engineers will have to deal with these topics when building websites. The engineer will need to know this to implement defensive coding strategies.
Defensive coding strategies are strategies that engineers and developers use to protect systems from security issues.
For example, when building a form for users to enter their details, the engineer will sanitise the data by ensuring no text entered was some malicious script.
Another strategy will be to ensure that no API endpoints, where requests go to get data from your system, are open to all users. This could be through using a JWT token or authentication method.
Software Engineer vs Hacker
There are several job functions that a software engineer has to perform to do their job, just as there are also several requirements for someone to be classified as a hacker. The table below shows one column for the requirements of a software engineer, and the other column shows the basic requirements for someone to consider themselves a hacker.
|Computer Networking||Computer Networking|
|Database knowledge||Database knowledge|
|Design Patterns||Hacking tools|
|Source Code Repositories (Git/SVN)||Malware & Ransomware|
As you can see, there is a lot of overlap between a hacker and a software engineer. The table differs once you start seeing the specific skills that a hacker needs that an average software engineer wouldn’t need to have.
The depth of knowledge in a particular topic is another difference. For example, computer networking for most software engineers will only go as far as getting a system working behind a firewall or load balancer.
On the other hand, a hacker would look at the network to identify any information that might help them determine more information about the system. For example, DNS entries (TXT records) may give more insight into how the system is hosted or what other services might have access to.
Is Hacking a career pathway for a software engineer?
Yes, hacking can be quite a lucrative career for a software engineer. In this case, it would be considered ethical hacking. Ethical hacking is when a hacker is given authority to try and hack a system. Companies worldwide rely on ethical hackers to help keep their systems safe from non-ethical hackers.
Software engineering is a perfect place to start for anyone looking to become an ethical hacker. Computer science or software engineering would be two of the most direct routes to becoming an ethical hacker. These disciplines would give the base level of knowledge about computer systems that could then be built on top of when learning hacking techniques and principles.
A software engineering degree isn’t a must-have when wanting to become an ethical hacker, but it would greatly benefit anyone looking for a career in the ethical hacking field. Plenty of hackers have gotten into the field by just playing around with computer systems, but that won’t take you as far as having deep knowledge on a broad range of computer topics like a degree in software engineering would give you.
What course can a software engineer take to start an ethical hacking career?
A certification, CEH (Certified Ethical Hacker), can be obtained through the EC Council CEH program. This certification is probably the most well-known and trusted certification for aspiring hackers. They have a good reputation amongst big companies like Microsoft, IBM and Cisco. Software engineers who obtain a CEH will have a good chance of obtaining a professional security role.
Another certification is well-regarded by top tech companies is the PEN-200 OSCP Penetration Testing certification. This certification is known to be quite difficult to obtain. The exams require the candidate to use a suite of tools to test the candidate’s ability to apply knowledge learned in the course. This is different to a course that relies on a typical question-and-answer exam and lends itself more towards a Capture the Flag kind of challenge.
Hacking relates to finding exploits in technology, allowing hackers to access information that is meant to be private. To find these exploits, hackers use a variety of techniques and tools.
Not all software engineers can hack. Hacking requires specific knowledge in different areas of software engineering that not all software engineers will possess. For example, network security and cryptography are two areas that most software engineers will only have a high level of knowledge of.
In contrast, a hacker will understand these topics in depth and will be able to use this knowledge to expose security holes in systems.