Who should perform a legal hack? There are a number of qualifications that should be expected from a legal hack team. The first expectation we would like to mention is independence. A test team should not financially or otherwise depend on the organization or department that is reviewed. Another reasonable expectation is that the test team should not consist of real (ex-) hackers. Especially in the case of a full-knowledge interior test or an application source code review the test team should be thoroughly trustworthy. There are even known cases that people were hired to do a legal hack used the knowledge gained in the test to hack the company in their spare time and publish the results within the hacker community. The test-team should also sign a confidentiality agreement. The legal hack team should not consist of people who only have experience in compliancy audits. A legal hack is not a simple compliance check against a given standard.
Legal hacking is a labor-intensive activity and an unlikely candidate for complete automation. Therefore the quality of a legal hack largely depends on the quality of the people performing the test. The test team should consist of experienced security professionals with a good general understanding of IT. Legal hacking focuses on technical control measures therefore it is reasonable to expect the team members to have a technical background.
Because of the large number of open source tools and especially if a source code review has to be performed it is recommended that test team members have experience in software development. A good test team consists of people that have their own special expertise. Together they form a multidisciplinary team that can test any system in a hybrid IT environment. Last but not least the test team should be creative. Given the fact that the team will come across many different systems and the assignment is to circumvent its security features a legal hack team cannot do without some creativity.
There is no such thing as a standard legal hack. However it is recommended that a test team use standards for legal hack methodology, reporting and archiving of results. There should also be guidelines about destroying this archive after a certain period of time. Quality control should be used to guarantee adherence to those standards.