The Importance of Ethics in Penetration Testing

Ethics are paramount to conducting penetration tests. Technologists conducting penetration tests must always closely obey laws and behave in a strictly ethical fashion to maintain a high level of trust because penetration tests aim to determine the exploitability of a system’s weaknesses without damaging or negatively affecting any systems in the process (Faily et al., 2016). Penetration testers are consistently faced with situations that can increase the chance for unethical behavior or implicit bias to take place, which Faily et al. refers to as “ethical hazards.” These ethical hazards include situations with legal ambiguity, tests that involve a human target, tensions between offensive security team and defensive security team activities, and a client’s possible indifference to security recommendations. Each situation that purposes an ethical hazard requires a high ethical standard and attention to ethical responsibility in the performant so that the integrity, confidentiality, and availability of the systems can be secure.

In the world of penetration testing, legal written authorization is what is referred to as a “get out of jail free card” and obtaining it is a key process to a legal ability to conduct pen testing. Penetration testers should be scrupulous, transparent, and thorough in their documentation because proper documentation is fundamentally the only reason that penetration testing can be performed legally. Documentation also provides clients an understanding of the complete scope of work and builds trust with the penetration testers (Gillam, 2023). Faily et al. (2015) explains that hacking a system requires a set of technical and creative skills to succeed, but penetration testing has an added constraint of protecting both the dignity of users affected by the test and protecting the systems involved from danger created by the test. When a penetration tester makes an incorrect choice in an ethical decision, they can easily face criminal charges.

References

Faily, Shamal; McAlaney, John; Jacob, Claudia. (2015). Ethical Dilemmas and Dimensions in Penetration Testing. Bournemouth University. https://cybersecurity.bournemouth.ac.uk/wp-content/papercite-data/pdf/fami15.pdf

Faily, Shamal; Jacob, Claudia; Field, Sarah. (2016). Ethical Hazards and Safeguards in Penetration Testing. https://dl.acm.org/doi/pdf/10.5555/3114770.3114793

Gillam, Jason. (2023, March 9). SecureIdeas. https://www.secureideas.com/knowledge/what-are-the-ethical-and-legal-considerations-for-penetration-testing