Actually, it's about ethics in penetration testing presented at bsideswellington 2017

by Josh Brodie,

Summary : This talk will feature as a rough guide to not being a Nessus-rebranding, haphazard shell-popping, DB-dropping, business-stopping cowboy. In it, I will provide words of caution against the tempting world of curiosity-driven unsolicited penetration testing (sometimes known as ‘actually being an attacker’). I'll detail a number of Career Limiting Moves: ethical missteps which may be made without a true appreciation for the impact on your ability to operate in this industry.
I’ll discuss why it’s necessary to be aware of business context, the challenges being faced by the clients and the realities of their operating environment in order to provide actionable advice. I’ll also detail the importance of ensuring they have a sufficiently thorough understanding of exactly what assurances can be provided by the testing scope you’ve been given to avoid creating a false sense of security… and I'll tie this all into the general theme of not being a jerk and your obligations to your employer and your client.
This talk is for you if you try your best to be a professional and are keen to see if I cover any areas you hadn't considered and could work on.
This talk is ESPECIALLY for you if you're on the red team and have ever blindly launched shellcodes you found on the internet at a customer system or tweeted a screenshot of a vulnerable app you were testing professionally.
The talk has a practical business-oriented focus and isn't going to use academic definitions or delve into ethical theory or philosophy.