It’s Time to Clean up our Language

What’s in a phrase? Not a lot if you’re gossiping casually, though style, fashion or taste might perhaps shape your choice of words. But words mean a lot if you’re aspiring to operate in a professional manner, because precise definitions are the basis of the body of knowledge that underpins any professional practice.

So perhaps it’s about we cleaned up our choice of terminology. I was reminded of this today when a professional body asked me for my views on the term “ethical hacking”. It’s one of those phrases that’s crept into usage to describe what I’d call “penetration testing”, though I’m not entirely if that’s an accurate description for the activity of live testing of systems or infrastructure to identify security vulnerabilities. But ethical hacking is definitely a misnomer. Firstly, because it has a different objective from hacking, i.e. it’s intended to detect security vulnerabilities, not achieve a penetration of a system. And secondly, because it’s a straightforward business requirement and has little to do with ethics.

There are lots of security glossaries around. Microsoft has one but it doesn’t include the word testing (bit worrying that). SANS has one that includes penetration testing but describes it as merely testing the external perimeter security. The IETF has a better definition for penetration testing, but falls down when it comes to “hacker” by describing it as “someone who figures things out and makes something cool happen”. Arghhh!

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

These terminologies spring out of mental laziness. Imagine if our ancestors were as lazy and named most of their inventions, etc., in the same manner?
Rob Slade has now had his excellent Dictionary published and therefore is no longer sadly available for looking up all the various sec-phrases. His earlier definition for Pentration Testing was "the portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users. Frequently abbreviated to pen test." His current updates are also worth keeping an eye on at as are his excellent book reviews for anyone who is thinking of buying one.