By Konstantinos Karagiannis, Principal Consultant, Ethical Hacking

Hackers thrive on eureka moments. Nothing makes us happier than receiving the ultimate reward for hours of looking through logs, poking at parameters, and otherwise attacking apps. Part of the job isfinding and documenting the low hanging fruit, sure. But the biggest thrills are in those magic moments, which often come after enough coffee to kill lesser mortals. Moments when we move from documenting SSL certificate errors to capturing 50,000 social security numbers!

You know what never experiences eureka moments? Today’s web application scanners.

As expensive as they are (some well above $10,000), web application scanners are sort of … lame. Currently, scanners possess the intellect of insects, unintelligently navigating web sites and occasionally stumbling across obstacles they may or may not recognize. I mentioned low hanging fruit before, and scanners can find lots of these. Yet they miss most of the really dangerous issues, and, perhaps worse, send developers on “fruitless” quests with false positives that far outnumber valid findings.

With the exception of annual audit checks and sites that have been gone over repeatedly, every new hack that comes our way holds the promise of a big finding. While we do have a plump methodology, the WAM (Web Assessment Methodology), using such a thing doesn’t let us predict what digital door or loose window may lead to a showstopper break in. It could be the way the app’s pieces interact; or a custom encryption method that can be cracked to reveal sensitive data to the world. We don’t know where this magic weakness will appear up front, and that’s part of the thrill of the hunt.

Currently a hacker with a modest year of experience, armed with a solid methodology, should win a bakeoff against all the world’s leading web app scanners combined. Creativity can’t be programmed, after all. Even Watson, the supercomputer that slaughtered the Jeopardy! champs failed to come up with anything but a wager during Final Jeopardy. It was Jennings who creatively wrote in that he welcomed the coming of our “computer overlords.”

Funny as Jennings was with his parting quote, Artificial Intelligence (AI) is seriously advancing. It’s only a matter of time before the computing horsepower of something like IBM’s DeepQA engine creates a Watsonesque hacking machine. Watson himself has since been adapted from game-show contestant to a healthcare analyst, working on treatment options for a pool of 34 million patients. Couldn’t a machine like that learn about the types of mistakes web developers make and become an uber-hacker?

With a literal quantum leap in computing on the horizon (Quantum Computing is coming, and I’ll have more to say in a future blog), running advanced AI software could be trivial in just about any industry. Web application scanners may go from simple comparison checkers to intelligent hacking systems that follow every possible exploit down every digital rabbit hole, all in minutes.

Will this be the end of human hackers? Will we be, as Jennings hinted at, serving our computer overlords, perhaps making sure their kernels are patched and tweaked?

I have more than a gut feeling this won’t be the case. Even after the inevitable Watsonesque scanners arrive, they won’t truly think or achieve creativity. Hacking is not about checking off boxes and moving on. Methodologies and repeatable quality of work are important ingredients, but without creativity and curiosity you just don’t have a true hacker.

Several big companies are recognizing that as scanning gets better and is more ingrained in the development cycle, hacker talent can be applied in other ways. The whole concept of Threat Modeling (one more blog topic on my to-do text file) is devoted to six major steps of analyzing the big picture of a particular system or application. While it reads a little dry for the layperson, the Threat Modeling methodology requires human interaction and hides between its lines a familiar concept:

Looking for that eureka moment.