$w33p3R,

interesting question

I must admit I've never thought about this question from a corporate perspective, now you bring it up I can understand that mentality. Personally I'ev always looked at it from the 'to catch a thief' perspective.

I'd definitely agree that real-world experience trumps book-smarts, but you can get that experience whilst staying on the right side of the legal fence. Either hands on in a lab or performing the job in the real-world. Like all fields, pentest teams will often have 'trainees' and 'juniors' who have the book-smarts and are learning the ropes alongside seasoned pros.

Getting back to hiring someone who has spent time on the dark-side, I'd advise it depends entirely on the people involved. If the individual in question proves trustworthy then I can see no reason not to have that skill and knowledge as part of your time. In this case I'd suggest the ECSA/LPT's advice could be modified to 'Never advertise that you have an ex-hacker on your team'.

That said, if the client asks for crimal records, police checks etc. it's time to hold your hands-up. If you trust the individual, try explaining the situation/background to the client and they may agree. Worst case if the client still doesn't want an ex-hacker having access to their environment, you can re-assign the individual to a different job whilst the remaining team get on with the job in hand. Potentially pulling in twice the revenue

2 quick points:

1. Ask a corporation hiring a pen test team, and they will tell you that they don't want to hire an ex-con. That alone should say don't have one on your team.
2. I don't expect the police to have been petty thieves, have DUIs, be murderers or child molesters in order to do their job with skill.

Don

Ex-Con would mean someone who had been convicted of their crimes.

This doesnt mean that everyone who has never been caught has been a naughty boy / girl though.

I think the distinction with this all round, is to not employ someone where you feel their personality, background and criminal checks would lead you to believe they would be a risk to your organisation or any other.

Yes, I do make a disctinction. But it is more like deciding the difference between pr0n and art. You may like both  , but you know the difference when you see it. For this reason, I can't simply say that the line is if you got caught IE a felon or ex-con. In a job interview, if you ask a candidate about dipping a toe into the dark side, you can tell the difference if they did it just for the knowledge or if there is glee in their voice about their misadventures.

Bottom line is that if you ask those who are hiring pen testers, almost all of them will tell you that there are now plenty enough professionals who have never gone to the dark side to make the decision a no brainer, so why even take that chance.

Hope this helps,
Don