SecurityThe Business of Digital SecurityWorkplace Digital Security

What’s The Main Pitfall of a Pentesting Career?

Chris

Pentesting is the hot new career path. It’s exciting, useful, and demand is skyrocketing.

So what’s the downside?

Well, there’s a chance law enforcement will arrest you. And if a recent case gives a peak into the current state of the industry, legislators may need to develop a legal framework that safeguards pen testers, STAT.

What is Pentesting?

Pentesting stands for “penetration testing.”

Companies and governments commission pen testers to uncover security holes — both physical and digital — at government buildings and social media sites alike. Pen testers try to break into secured facilities, servers, and data centers — anywhere that should be impenetrable.

Arresting Pen Testers

Recently, a pen testing incident that ended in arrest spooked the industry.

It all started when the state’s judicial branch hired a pentesting company, Coalfire, to uncover security problems at the Iowa Supreme Court building. The two parties had been working together for about four years  with no major issues.

One day, two Coalfire employees arrived at a courthouse in Dallas County, Iowa, on a mission. Their company tasked the pair with trying to access off-limit areas.

When they arrived, they got to work and tried to sneak in behind authorized employees, a tactic known as “tailgating.” Coalfire also approved a bit of “non-destructive lock-picking.”

But things took a turn when the duo came across a propped-open door. They wanted to see if they could open it once closed, so they closed it, which triggered an alarm. Long story short, law enforcement officers rushed to the scene and made arrests.

Typically, if facility security teams catch pentesters, the contractors wait for authorities to arrive, explain who they are, and provide proof. This usually satisfies local law enforcement. The two Coalfire employees followed this method, and at first, things seem to be going fine.

But then the sheriff showed up, and the pair was arrested on suspected burglary charges. They spent the night in jail, and their company bailed them out the next day.

That, however, wasn’t the end of it. Several weeks later, authorities still hadn’t dropped the charges despite definitive proof that the pair worked for Coalfire, whom the state’s judicial branch had hired for pentesting.

Looking Forward: Do We Need a Pentesting Legal Framework?

The case spooked the pentesting industry. Coalfire CEO Tom McAndrew explained: “I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening.”

David Kennedy, CEO of Binary Defense and Trusted Sec, weighed in on the situation, warning:

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this. You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

If similar arrests keep happening, it may be time for lawmakers to establish a legal framework to protect security professionals.

Interested in digital security issues and news? Then head to our blog.