[lukecameron]

While I agree with the general unfairness of this, on the other hand we currently have an ecosystem where SaaS products are used by most people to get their work done and generally manage their lives.

Shouldn't we have the right to know or be able to check how secure our data and identity is on these services?

[tptacek]

No. As a matter of fact, you do not have the general right to "check" how secure a SAAS provider is.

[danShumway]

> Shouldn't we

> you do not

I don't think this answers the question. Of course unsolicited pen testing is already illegal; that's not an interesting question imo. What I'm more curious about is security industry opinions about whether or not the current law is a good idea.

Are there any changes you would make to the law if you had the ability to do so, or do you see a more general danger in allowing customers to attack their own accounts?

[tptacek]

I would change the way CFAA charges are sentenced. I would not eliminate the general prohibition on hacking other people's computers.

[goshx]

We get "checked" multiple times on a daily basis. How do you deal with those?

[tptacek]

Some SAAS companies set up bug bounties that offer explicit permission to test. Some companies offer that permission without a bounty. In the absence of either of those conditions, much of what a pentest firm would do to check the security of a website is a federal crime.

It's not a crime that is routinely prosecuted (at least not in the US; there are horror stories from the UK). But that doesn't mean it's safe to build a business around that activity.

(To be clear: I'm saying this about general security testing, not taking over someone's account who's paid you to do so. That's not criminal, just sort of unethical.)

[goshx]

How does a business like Acunetix still exist if that's really the case? Anyone online can use their services to check any website.

[tptacek]

Acunetix sells a product that you can use lawfully or unlawfully. In the very unlikely event you were to find and later exploit a serious vulnerability in a major SAAS company using the Acunetix scanner, it would not be Acunetix that the lawyers would target.

[beardedwizard]

Really not true at all, it's a matter of contract negotiations and deal sizes.

[tptacek]

You do not have a general right. Obviously, 3rd-party penetration tests exist, and obviously there are a variety of things you can do short of actual testing to "check" security.