Professional, ethical, and authorized security testing services are inseparable from the security testing ethics code composed of pre-agreed rules. These guidelines stipulate the service method of security testing services, the testing methods of security implementation, the legal terms agreed in contracts and negotiations, the scope of testing, the preparation of testing, the process of testing, and the consistency of reporting structure. To take the above factors into account, it is necessary to carefully examine and design formal operating methods and related processes that must be followed throughout the testing process. Some common ethical guidelines are described below.
Auditors are not allowed to conduct any form of penetration testing on the target system before reaching a formal agreement with the client. This unethical marketing method has the potential to disrupt the normal business of the client. In some countries, this practice may even be illegal.
During the testing process, without the explicit permission of the customer, the testers shall not conduct security tests beyond the scope of the test and beyond the agreed scope.
Formal contracts with the force of law help testers avoid unnecessary legal liabilities. A formal contract will specify which infiltrations are exempt from liability. This contract must clearly state the terms and conditions of the test, emergency contact information, job assignment statement, and any apparent conflicts of interest.
Testers should abide by the time limit for security assessment specified in the test plan. The time of penetration testing should avoid the time period of normal production business to avoid mutual influence.
Testers should follow the necessary steps agreed in the testing process. These rules restrict the testing process through the internal environment and related personnel from different perspectives of technology and management.
In the scoping stage, all entities involved in the security assessment business and the constraints they are subject to during the security assessment process should be clearly stated in the contract.
Network security learning resource sharing:
Zero-based entry
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Due to the limited space, only part of the information is shown, you need to click the link above to get it