Honestly, it’s only been the last few years that I’ve started hearing this term. So I’ve done some additional reading on it and want to add my own spin to it. Many articles are calling it white box hacking or basically qualified individuals that don’t have nefarious intent. I do agree with that, obviously ethical and nefarious are antonyms but is it just white box hacking? I think the term should be white hat hackers doing white, grey, or black box testing. Anything white hat should be considered approved work by a client that has hired an individual or company to perform testing on systems and applications.
The interesting thing is the term ethical hacking services isn’t commonly used within security circles, at least not the circles I’m in. I’m finding the term to be a bit broad in its use. With any project, regardless of it being performed internally or externally, it needs to be scoped properly. But I’m hearing the term being used broadly by fringe security people that really don’t clearly understand what they want or need.
I’m talking ethical hacking services being used anywhere from reverse engineering to penetration testing.
So what’s the point of this blog post other than musing? Whether you’re a fringe security person or a seasoned security engineer just using the term ethical hacking services isn’t going to cut it. Not as long as the term is vague. As soon as I hear the term I know I have to do some diving into understanding what the real objective is, not just perception of what the need is. That perception could come from the person asking or the engineer scoping it. Fine tune the discussion, understanding what’s driving the request, who’s asking for it and again, what’s really needed.
Clients may always use different terminology, that’s fine. It’s up to the security professional to really understand what needed and desired. There’s nothing worse than hearing from a client that you gave them what they asked for, not what they needed.
Communicate, communicate, communicate.