Order Now
Uncategorized

Legal And Ethical Aspects Of Penetration Testing

11 min read
Posted on 
April 15th, 2025
Home Uncategorized Legal And Ethical Aspects Of Penetration Testing

Legal and ethical aspects

The aim of this report is critically comparing the existed methods of penetration testing against the scope of the scenario. The scenario is about an SME that is building capabilities in penetration testing. There is a team of three consultants who are taking preparations for delivering  project based on white box penetration testing (Gluth et al., 2020). The client has asked the employer for conducting the pen test against a web server and the relevant web application of it that is hosted on Amazon AWS. The legal and ethical aspects of pen testing will be discussed as well as the comparison criteria will be also discussed in this paper.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The pen testing is a type of security testing which is used for discovering existed vulnerabilities, risks and threats which can be exploited by an attacker in web apps, software application and networks. The main purpose of pen testing is identifying and testing all of the possible security vulnerabilities which are presented in the software application (McKinnel et al., 2019). The biggest issue is there are various security testing tools which are based on the intent of user that means there are inherent challenges for proving that people are breaking specific laws. According to laws and regulations of UK there are various legal and ethical aspects of penetration testing, such as:

  • The computer misuse act 1990 is aa kind of act of parliament of UK which was partly introduced in response to the decision in R v Gold & Schifreen (1988) 1 AC 1063. It was complained by the existed critics of the bill that this is hastily introduced as well as was poorly through out (Singh et al., 2019). This act has become nonetheless a model that has drawn inspiration at the time of subsequently drafting the information security laws of own as this is seen as flexible and robust piece of legislation related to cyber crime and dealing. The act also introduced three different types of criminal offences which is also including unauthorized access to the computer materials which is published by the six months imprisonment or fine (Zhang et al., 2019). Another one is, unauthorized access with the intent of committing or facilitating commission of further offences that sets rule for six months prison or maximum fine on indictment. Lastly, the modification of computer material which are unauthorized that can be subject to the similar sentences as section two offences.
  • The Data protection act 1998 can control how the personal information is utilized by businesses, organisations or the government. Everyone who is having responsibilities for data utilization which must need to follow rules strictly that is known as principles of data protection (Luswata et al., 2018). They must need to ensure that the information is lawfully and fairly used as well as it is utilized for limited as well as specially stated purposes (Davidson et al., 2018). The information should also kept for no longer than is necessary absolutely and it should be kept as safe and secured.
  • While doing pen testing, the Human rights act 1998 also should be followed as per laws of UK. This act received royal assent on 9thNovember 1998 as well as mostly came in to force on 2nd October, 2000. The main ai of giving further effect in UK law to the laws along with the rights those are contained in the convention for providing security and protection to fundamental freedoms as well as to the human rights. There will be no such inference by the public authority with the exercise of the right expect, as according to the law it is required in a democratic society for the interests of national security, well being of economy for the country or public safety.

Along with the above discussed laws there are some major ethical aspects which needs to be considered while performing penetration testing. They are:

  • Keep the confidential and private information gained as secured. Do not give, sell, collect or transfer any kind of personal information to a third party without the prior consent of the client (Christen, Gordijn and Loi, 2020).
  • Give protection to the intellectual properties of others through rely on the own efforts and innovation, thus ensuring that all the advantages vest with the originator.

The methodologies of pen testing like OWASP, PTES and OSSTMM will be compared with each other, they will be compared according to their effectiveness, confidentiality and working process. The methods will be compared according to the effectiveness of cost cutting of the network downtime (Khera, Kumar and Garg, 2019). The penetration testing are best know to reveal the weaknesses in the target environment, through the end of the test, a report will be received with all of the problematic access points in the system along with the suggestions for software and hardware improvements those are needed for upgrading the security. Usually, the pen testing begin with the high risk vulnerabilities as well as then it move to the low and medium risks. The methods will be also compared accordingly (Sina, 2019). The results from the pen testing varies in accord with the skills of the white hat hackers, the time taken for the test, changes in the system at the time of the test.

Comparison criteria

The methods will be also compared with each other according to the testing ability of responding to real cyber threats (Lu and Yu, 2021). If the hackers methods will be known, then the tactics and tools can be prepared to shut them down as well as kick them out from the system. As the main purpose of pen testing is to provide security to the system so according to these criteria the methods will be compared.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

The pen testing methodology is actually a manner in that a pen test is executed and organised. The methods of pen testing are exited for identifying the security vulnerabilities in the organisation. Each of the methodologies can outline the procedure an organisation can take for discovering the vulnerabilities (McKinnel et al., 2019). While the organisations can utilize the custom processes of their own, there are so many industry organised and readily established methodologies which can be a great option for the organisation. The top four methods of pen testing are OSSTMM, OWASP, PTES and NIST.

The OSSTMM or Open Source Security Testing Methodology Manual, is one of the recognizable most pen testing methods in the industry (Rani and Nagpal, 2019). This is actually a peer reviewed method which is maintained by the Institute for Security and Open Methodologies (ISECOM). This method provides allowance to the organisations for tailoring the pen tests of them for their specific requirements while giving accessibility to the developers to more secured portions to the environment for development (Gluth et al., 2020). The OSSTMM also provides allowance to the companies in tailoring the pen testing to the for the specific requirements while proving accessibility to the developers to more secured portions of their environment for further development (Zhou et al., 2019). This method also contains checks for ensuring about the adherence to laws and regulations.

The Open Web Application Security Project or OWASP method of pen test is actually the set of guidelines and standards for the security of web applications as well as is often the beginning point for the IT personnel when venturing in to the realm of the pen test initially (Baloch, 2017). This methos can provide various resources of its own for improving the security posture of both external and internal web based applications through providing the a comprehensive list of vulnerabilities to the companies for web applications along with the methods of mitigating them (Zhu, 2017).

Penetration testing methodology comparison

The Penetration Testing Execution Standard or PTES can provide a high level of overview about the pen testing. All the traditional steps like Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting, are included in PTES method.

There is another methodology called NIST which stands for National Institute of Standards and Technology. Basically, it is more of a security framework than the method of pen testing (Dieber et al., 2020). It can provide the baseline standards to configure the technologies along with the stakes within the environment that can be applied to pen testing.

Among all these methods OWASP method can be chosen for the next stage as that will be a great way for the organization for implementing the regular security assessments in to the organization. The feedback from security assessment can provide allowance in changing and adapting methods according to the results (Schwartz et al., 2020). When followed updated regularly and flexibility, pen testing methods work for those who utilize them as well as bring success and simplicity to the procedure of the organization of cyber security assessment.

Conclusion:

Thus, it can be concluded from the report that the legal and ethical aspects of penetration testing has been discussed in this paper. The methods of pen testing have also been compared with each other according to the requirement of the scenario. The comparison criteria have also been discussed and the methods have also been compared accordingly. Among all those methods OWASP method has been chosen and recommended for the next stage.

References:

Baloch, R., 2017. Ethical hacking and penetration testing guide. Auerbach Publications.

Christen, M., Gordijn, B. and Loi, M., 2020. The ethics of cybersecurity (p. 384). Springer Nature.

Davidson, C., Al-Baghdadi, T., Brown, M., Brennan, A., Knappett, J., Augarde, C., Coombs, W., Wang, L., Richards, D., Blake, A. and Ball, J., 2018. A modified CPT based installation torque prediction for large screw piles in sand. In Cone penetration testing 2018 (pp. 255-261). CRC Press.

Dieber, B., White, R., Taurer, S., Breiling, B., Caiazza, G., Christensen, H. and Cortesi, A., 2020. Penetration testing ROS. In Robot operating system (ROS) (pp. 183-225). Springer, Cham.

Gluth, G.J., Arbi, K., Bernal, S.A., Bondar, D., Castel, A., Chithiraputhiran, S., Dehghan, A., Dombrowski-Daube, K., Dubey, A., Ducman, V. and Peterson, K., 2020. RILEM TC 247-DTA round robin test: carbonation and chloride penetration testing of alkali-activated concretes. Materials and Structures, 53(1), pp.1-17.

Gluth, G.J., Arbi, K., Bernal, S.A., Bondar, D., Castel, A., Chithiraputhiran, S., Dehghan, A., Dombrowski-Daube, K., Dubey, A., Ducman, V. and Peterson, K., 2020. RILEM TC 247-DTA round robin test: carbonation and chloride penetration testing of alkali-activated concretes. Materials and Structures, 53(1), pp.1-17.

Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis and Impact of Vulnerability Assessment and Penetration Testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525-530). IEEE.

Lu, H.J. and Yu, Y., 2021. Research on wifi penetration testing with kali linux. Complexity, 2021.

Luswata, J., Zavarsky, P., Swar, B. and Zvabva, D., 2018, June. Analysis of scada security using penetration testing: A case study on modbus tcp protocol. In 2018 29th Biennial Symposium on Communications (BSC) (pp. 1-5). IEEE.

McKinnel, D.R., Dargahi, T., Dehghantanha, A. and Choo, K.K.R., 2019. A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Computers & Electrical Engineering, 75, pp.175-188.

McKinnel, D.R., Dargahi, T., Dehghantanha, A. and Choo, K.K.R., 2019. A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Computers & Electrical Engineering, 75, pp.175-188.

Rani, S. and Nagpal, R., 2019. Penetration testing using metasploit framework: An ethical approach. Int. Res. J. Eng. Technol, 6(8), pp.538-542.

Schwartz, J., Kurniawati, H. and El-Mahassni, E., 2020, June. Pomdp+ information-decay: Incorporating defender’s behaviour in autonomous penetration testing. In Proceedings of the International Conference on Automated Planning and Scheduling (Vol. 30, pp. 235-243).

Sina, B.J., 2019. Identifying the Efficacy of Various Penetration Testing Practices (Doctoral dissertation, Utica College).

Singh, A., Jaswal, N., Agarwal, M. and Teixeira, D., 2018. Metasploit Penetration Testing Cookbook: Evade antiviruses, bypass firewalls, and exploit complex environments with the most widely used penetration testing framework. Packt Publishing Ltd.

Zhang, N., Arroyo, M., Ciantia, M.O., Gens, A. and Butlanska, J., 2019. Standard penetration testing in a virtual calibration chamber. Computers and Geotechnics, 111, pp.277-289.

Zhou, T.Y., Zang, Y.C., Zhu, J.H. and Wang, Q.X., 2019. NIG-AP: a new method for automated penetration testing. Frontiers of Information Technology & Electronic Engineering, 20(9), pp.1277-1288.

Zhu, Z., 2017. Automated penetration testing for PHP web applications. 

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order
Calculate the price
Pages (275 words)
$0.00
Course Scholars
Company
Legal
How Our Service is Used:
Course Scholars essays are NOT intended to be forwarded as finalized work as it is only strictly meant to be used for research and study purposes. Course Scholars does not endorse or condone any type of plagiarism.
Subscribe
No Spam
© 2025 Course Scholars. All rights reserved.
Course Scholars will be listed as ‘Course Scholars’ on your bank statement.

Order your essay today and save 15% with the discount code GINGER

Order Now