The best way for IT administrators to test their systems is by using hacking tools against them, according to a leading security specialist.

The plethora of exploit code available on the web to attack corporate servers should be used as a resource to test computer security. By running such code administrators can judge the efficacy of their defences and make appropriate adjustments.

"There are several legitimate uses for exploit code," explained Ivan Arce, chief technology officer at Core Security Technologies.

"We need to understand the strengths and limitations of our tools. It helps to deploy timely and cost-effective mitigation measures."

Arce pointed out that code designed to exploit flaws in software programs is a valuable resource and should be used as such. Both legitimate and illegal organisations are now selling such code for use in testing.

This new value on exploit code is such that new vulnerabilities are being traded on the open market. Spammers and malware writers are buying it to further their ends, but legitimate security companies are also buying the information.

"There is an increasing perception of value for vulnerability code," said Arce. "The good guys value it and are not giving it up for free. The bad guys want it so they can carry on their attacks."