We've got used to the idea now that ethical hackers will tear through software from vendors like Oracle, Microsoft, Apple and more in search of vulnerabilities. They're not troublemakers, they're performing a public service -- it's better the good guys know where the vulnerabilities are, not just the bad guys.

But the increasingly popular concept of software as a service (SaaS) is throwing some interesting spanners into the security vulnerability research works.

Don't know what SaaS is? Think of the CRM application from Salesforce.com. That whole company is based around a Web application. Google's also in on the action with online applications like Google Docs, Spreadsheets, Gmail and much, much more.

Unlike actual software that you install on your computer, you access Web applications via a browser. You're just using some software that's provisioned by a third party. You never actually install it.

So how can you probe it for vulnerabilities without the feebs possibly knocking on your door?

Well, it seems, you can't.

While your motives may be as pure as the driven snow while you're hacking away at ANZ's Internet banking gateway or a Salesforce.com feature, there's no way for those organisations to know that.

Now, you might not see the problem here. People should just avoid trying to mess with Web applications, right?

Unfortunately, it's not that simple. If we don't let the good guys attack Web applications -- and I don't mean a team of consultants here, I mean the wider, white-hat security community -- then chances are their security will suffer.

Obvious bugs could go unchecked and eventually identified by the very people who don't care about attracting the attention of the feebs: "Dark side" hackers with nasty motives.

This will definitely be an area to watch in the future. Could Web application companies set up testing environments that white-hat hackers could attack without drawing ire? How can Web application publishers benefit from the white-hat community's expertise without throwing the door open to all and sundry to attack them?

Watch this space. In the mean time, if you'd like to hear Web app security specialist and former "hacker Yahoo!" Jeremiah Grossman discussing this topic, tune into this week's episode of the Risky Business security podcast.