I don't think this answers the question. Of course unsolicited pen testing is already illegal; that's not an interesting question imo. What I'm more curious about is security industry opinions about whether or not the current law is a good idea.
Are there any changes you would make to the law if you had the ability to do so, or do you see a more general danger in allowing customers to attack their own accounts?
Some SAAS companies set up bug bounties that offer explicit permission to test. Some companies offer that permission without a bounty. In the absence of either of those conditions, much of what a pentest firm would do to check the security of a website is a federal crime.
It's not a crime that is routinely prosecuted (at least not in the US; there are horror stories from the UK). But that doesn't mean it's safe to build a business around that activity.
(To be clear: I'm saying this about general security testing, not taking over someone's account who's paid you to do so. That's not criminal, just sort of unethical.)
Acunetix sells a product that you can use lawfully or unlawfully. In the very unlikely event you were to find and later exploit a serious vulnerability in a major SAAS company using the Acunetix scanner, it would not be Acunetix that the lawyers would target.
You do not have a general right. Obviously, 3rd-party penetration tests exist, and obviously there are a variety of things you can do short of actual testing to "check" security.
> you do not
I don't think this answers the question. Of course unsolicited pen testing is already illegal; that's not an interesting question imo. What I'm more curious about is security industry opinions about whether or not the current law is a good idea.
Are there any changes you would make to the law if you had the ability to do so, or do you see a more general danger in allowing customers to attack their own accounts?