Association executing penetration tests and do not share

of Professional Penetration Testers Code of Ethics

performing any ethical hacking, ensure that you know and understand the nature
and characteristics of the client organisation’s business, system and network. Every
industry can have a specific limitation by regulations. Provide service in your
areas of competence, be honest and forthright about any limitations of your
experience and education. Ethical hacking requires great technical knowledge
and experience in the field. Do not try to attempt projects or tests that
beyond your knowledge or experience. Be sure to understand all procedural and
legal aspects of the firm you are serving for penetration test. Know your legal
limits and inform clients about these limits if they don’t know.

            I know
from my personal experience while working in Information Security Service in a
bank in Istanbul that our banking regulations in Turkey obligate the certain
experience and knowledge for proper penetration testers. According to
regulations the comprehensive penetration tests are obligatory to do at least
twice a year. With the sane regulations professional penetration tester’s technical
group leaders should be at least five-year experience in penetration testing in
financial environments and you should have a proper educational background.
There are other compulsory requirements for other members of the penetration
test group members and general penetration test aspects. These obligations are
for protecting financial services and industries from effects of consequences
of improper penetration tests.

            You should
consider sensibility or secrecy of the data included before and during
penetration test. While handling sensitive personal, financial or exclusive
information, you should assure that you won’t going to abuse laws, rules and
regulations. Keep confidential data you obtain private while executing
penetration tests and do not share client list and their personal information. Do
not give, sell, share or collect private information like ID numbers or e-mail
address to third parties without customer former assent. You shouldn’t discuss
findings of the penetration test with unauthorised individuals, also you should
never take personal copies of client’s data. You shouldn’t publish
vulnerabilities from their personal blogs or websites, don’t do this without
permission of a client even you didn’t mention their names or confidentiality
details. You should encrypt client data and restore it in a secure environment
if needed, never disclose client information to other parties. Ensure you
strongly protect client data.

transparency with the client during and after penetration tests. Communicate
all relevant information you found while doing penetration test on client’s
system or network. Avoid conflict of interest between you and client and
disclose if you believe you cannot avoid or escape from it. Transparency
ensures that clients are aware of process of the penetration test, so they can
take necessary actions if needed. Ensure good management for any project you
lead, including effective procedures for promotion of quality and full
disclosure of risks. You should not avoid telling risks to client, in
penetration test there are always risks involved to the process, so penetration
tester should be honest and clear about the risk they see. If you see a risk
that could reveal sensitive information, inform clients about the possibilities
and take their permission. Be sure to document this kind of risk and permits so
you will not have trouble in the future. Insist on learning the limits of the
client and do not go beyond the limits set by the client while performing
ethical hacking. Stay within the target areas of the system or network
specified in the work agreement. Be sure you are properly authorised and never
perform unauthorised testing. Stay committed to agreement you did with the
client before you start penetration testing. Basically, test everything in
scope and never go outside.

            Finally, do
not associate with black-hat hacker hackers that serves to attack corporate
networks and environments. Do not communicate or be part of any kind of illegal
underground communities so they won’t be able to expand their activities. Reputation
and trust worthiness is a key element for ethical penetration tester.
Associating and communicating with an underground communities and black hat
hackers can finish caressers of ethical hackers.