can hackers be hired for exploratory security testing

Introduction：

1、[QA.ST.7] Conduct proactive exploratory security testing activities

2、The Legal and Ethical Side of Penetration Testing： A Comprehensive Guide

[QA.ST.7] Conduct proactive exploratory security testing activities ♂

　　Category: RECOMMENDED

　　Conduct frequent exploratory security testing activities,

　　encompassing penetration testing, red teaming, and

　　participation in vulnerability disclosure or bug bounty

　　programs.

　　Penetration tests use ethical hackers to detect vulnerabilities in system or networks

　　by mimicking potential threat actor actions. These exploratory security tests reveal

　　weaknesses in the system using the ingenuity of human testers. Deployment pipelines can

　　trigger the penetration testing process and wait for an approval to help ensure that

　　vulnerabilities are identified and fixed before code moves to the next stage. Automation

　　can be used to run repetitive, baseline tests, such as dynamic application security

　　testing, to enable human testers to focus on more complex scenarios. Review the AWS Customer Support Policy for

　　Penetration Testing before running penetration tests against AWS

　　infrastructure. Penetration testing is most effective when you need a broad review of the

　　application or system against known vulnerabilities.

　　Going beyond the scope of penetration tests, red

　　teaming emulates real-world adversaries in a full-scale

　　simulation, targeting the organization's technology, people,

　　and processes. Red teaming is more focused than penetration

　　testing, targeting specific vulnerabilities by allocating more

　　resources, spending more time, and examining additional attack

　　vectors. This includes potential threats from internal

　　sources, such as lost devices, external sources like phishing

　　campaigns, and those arising from social engineering tactics.

　　This approach provides insights into how threat actors might

　　exploit weaknesses and bypass defenses in a real-world

　　scenario. Red teaming evaluates the broader resilience of an

　　application or system, including its resistance to

　　sophisticated attacks that span the entire organization's

　　security posture.

　　Vulnerability disclosure and bug bounty programs invite external researchers to

　　examine your software, complementing and often surpassing internal security evaluations.

　　Researchers who participate in these programs not only identify potential exploits but

　　also verify them, resulting in higher fidelity findings. The person who identified the

　　vulnerability does not disclose it publicly for a set amount of time, allowing a patch to

　　be rolled out before the information is disclosed publicly, and in some cases will receive

　　compensation for their efforts. These programs foster a culture of openness and continuous

　　improvement, emphasizing the importance of external feedback in maintaining secure

　　systems.

　　The findings from exploratory security testing should be

　　communicated to development teams as soon as findings are

　　available, allowing for quick remediation and learning.

The Legal and Ethical Side of Penetration Testing： A Comprehensive Guide ♂

　　Date: November 20, 2024

　　Time: 6:30 AM MST | 8:30 AM EST | 7:00 PM IST

　　Topic: Guide to Penetration Testing: Navigating the Legal and Ethical Landscape

　　Abstract: With organizations expanding their digital presence globally, compliance for data protection is becoming increasingly important. Through the proactive penetration testing approach, vulnerabilities within these data systems can be identified and fixed even before malicious actors can exploit them. However, the scope and limitation of pen testing capabilities are strictly regulated by ethical and legal considerations. As part of the series ‘Guide to Penetration Testing,’ this webinar explores the challenges and practices associated with legal and ethical aspects that penetration testers need to consider. From understanding the legal frameworks that govern penetration testing to authorization and disclosure, the webinar will discuss the approach to maintaining systems and data integrity and avoiding legal pitfalls. Additionally, it aims to equip security professionals, pen testers, and ethical hackers with the knowledge needed to conduct penetration tests responsibly and legally. Attendees will also gain valuable guidance to help them perform penetration tests that strengthen security and uphold the highest standards of legal and ethical responsibility.

　　Key takeaways:

　　Understanding how to define methodologies and the scope of penetration testing

　　Developing and integrating a legal framework to govern penetration testing

　　Best practices for ethically conducting a penetration test

　　Common legal pitfalls to avoid while conducting a penetration test

　　Balancing holistic security and authorization via pentesting

　　Speaker:

　　Rodney Gullatte, Jr., Certified Ethical Hacker and CEO of Firma IT Solutions

　　Bio: Rodney Gullatte, Jr., is a community leader, US Air Force veteran, certified ethical hacker, certified chief information security officer, certified network defense architect, and has another 13 certifications. He is the CEO of Firma IT Solutions, which provides penetration testing facilities for private companies that currently have internal IT/Cyber support or are outsourcing their IT/Cyber services. With a background in information technology and cybersecurity that includes the Department of Defense, retail, healthcare, casinos, utility companies, and more, Rodney has developed Firma IT Solutions to bring this enterprise pen testing service to businesses in the Pikes Peak Region and across the World, Colorado Springs, CO, is his 5th community as a military family. In the short span of 9 years, Rodney established himself in Colorado Springs as a transformational business and community leader. His latest accomplishments are becoming the first Black President of the Rotary Club of Colorado Springs (2020-2021), winner of Colorado Springs Business Journal Best in Business 2017 and 2023 #1 Cybersecurity Company, recipient of the Colorado Springs Business Journal Rising Stars Class of 2018 award, winner of the 2020 Mayor’s Young Leaders Award in Technology and Sustainability, winner of the 2020 Front Range Power Connectors Networker of the Year, founder of the Colorado Springs Black Business Network and the winner of Small Business Week 2019 Veteran Business Owner of the Year. He is the immediate past President & CEO of the Colorado Springs Black Chamber of Commerce. He serves on the board of directors for the Colorado Springs Chamber and EDC, the Cultural Office of the Pikes Peak Region, and the National Cybersecurity Center. He is an alumnus of the inaugural Colorado Springs Mayor’s Civic Leaders Fellowship, Colorado Governor’s Fellowship Class of 2022, and Colorado Springs Leadership Institute Class of 2019. He is currently an Honorary Commander of the US Air Force Academy. He is one of 50 people globally to be honored as a 2023 EC-Council Chief Information Security Officer Hall of Fame Award Winner.