PenTesting and Ethics


A very interesting whitepaper in the SANS reading room titled “Profiling Hackers” raises a pertinent question:

“If the target defines hacking, then victimology comes into play. This is subjective because where is the line drawn? Is it illegal to hack a credit union but heroic to attack an online pedophile ring who engages in human trafficking?”

There are so many factors that a professional pen tester has to consider, above and beyond technology. Laws, AUPs, contracts, scopes, nuances of dependent systems, and perhaps equally importantly, personal ethics.

While “excitement” is often thrown around in the same breath as ethical hacking and pen testing, I think what separates a professional from a rookie white hat hacker, is tempering the “thrill”, seeing the big picture, accepting responsibility, and acting with a conscience – and of course, always staying within the law.

More challenging than mastering tools, and being a brilliant hacking strategist, I think.