Of course, ethics and the law aren’t quite the same thing—and no matter how much you hew to your code of ethics, you need to make sure you stay on the right side of the law. That's especially true in the pen testing world, where legalities can be blurry and customer egos can be bruised, says Michael Jeffcoat, founder of The Jeffcoat Firm. Jeffcoat is an insurance attorney who has worked closely with several white hat hackers over the years. "The lack of a universally recognized legal framework leaves ethical hackers prone to lawsuits," he explains. "While ethical hackers might have a contract stating that their employers specifically asked them to infiltrate their systems, the employer may still file a lawsuit if they deem that the hacker performed 'unsolicited attacks.'"
To head off that sort of trouble, he advises that pen testers have a good grounding in the relevant law, a good attorney, or both. "Ethical hackers must extensively read their project contracts," he urges. "All agreements should explicitly state the scope and limitation of the penetration testing services ordered. Remember: explicit details prevent subject contract interpretations."
The few, the proud, the hackers
The qualities we've described here, combining technical savvy, out-of-the-box thinking, and "soft" communications and collaboration skills, may sound like a tall order. But it also explains why ethical hackers seem to loom larger than life within security circles.
"A personable hacker, one that people like, trust and like to talk to, is the most dangerous and in demand of them all," explains DeMercurio. "Why? Because that is the person that talks their way into a building, has someone hand them the keys to the data closet, and then leaves them alone because they were trustworthy. That is who you should aspire to be and that is the very person companies should be terrified of. Lucky for them, we’re white hat hackers."