Information technology and sustainability

Cybersecurity, not all hackers are bad

Who is the ethical hacker and why is he hired by companies. Prior authorisation and tests to be carried out

by Alessia Valentini

14 October 2025

3' min read

Translated by AI

Versione italiana

Key points

Who is the ethical hacker
The motivations
The Spid case

3' min read

Translated by AI

Versione italiana

The professional figure of the hacker is often the victim of misinformation and negative connotations. Then there is the ethical hacker, a professional who supports the prevention of damage from software vulnerabilities and helps in their resolution.

Who is the ethical hacker

The term 'ethical hacker' refers to a computer security professional, often a researcher, trained to analyse digital environments to identify vulnerabilities in systems, before digital attackers can exploit them to damage computer systems. This professional, who must be explicitly authorised in advance, simulates real computer attacks to assess the technical risk and reinforce the level of security. His action consists of a set of attempts to gain access to a computer system, application or data, trying to operate as an attacker would, in order to identify software vulnerabilities that allow access controls to be circumvented.

The results, which must be replicable, are documented and shared with the client, so that the latter can take action to eliminate and close vulnerabilities by means of appropriate patches (corrective software interventions).

The motivations

The term hacker is often used in a negative way to indicate unauthorised violations, but the difference with the ethical hacker is precisely in the motivations and the way in which this professional operates. The transparency of activities and the close collaboration with the company that owns the systems under scrutiny, which explicitly authorises the activities of the ethical hacker, are characteristic and preventive conditions for any technical testing intervention. The main advantage of authorising Penetration Tests (PT) and Vulnerability Assessments (VA), i.e. intrusion tests and vulnerability assessments, lies in the possibility of identifying software vulnerabilities from the attacker's point of view so as to correct the weaknesses; but closing vulnerabilities also has an impact on increasing the resilience of digital systems with positive effects on the quality of one's own digital services and/or products and on the company's reputation on the market.

In fact, making clear to everyone the critical issues that have been remedied has an immediate return in terms of image and trust on the part of potential customers.

The Spid case

This is the case of the PosteID app, which was recently subjected to security analysis by two researchers from the Security and Rights in CyberSpace (Serics) foundation, an organisation whose main purpose is scientific and technological research in the cybersecurity field. Gabriele Costa, associate professor of computer science and leader of the Securing softWare frOm first PrincipleS (Swops) project, which is part of Serics' Spoke 6, together with Federico Chiesa, a graduate in computer science from the University of Florence, are the researchers and authors of the discovery. Together they identified a logical flaw in the PosteID app's strong authentication system.

The problem identified allowed the fraudulent and malicious registration of a new device as part of the Spid authentication process via the PosteID app for Android, permitting the replacement of a user's legitimate device, which could then be removed from his or her own Spid. The collaboration between the company and the test team allowed the vulnerability disclosure process to be handled in a controlled manner and only after the software weakness had been resolved.

Also crucial was the vulnerability management process followed by the Poste Company, which authorised the tests, acknowledged the evidence on the repeatability of the vulnerability exploitation actions, and produced the resolution code. The guarantee of this resolution was again entrusted to the researchers' tests, which confirmed the closure of the software flaw. The entire operation was published in the research paper entitled "The Postman: A Journey of Ethical Hacking in PosteID/SPID Borderland" published on Arxiv.org, which contains all technical and operational details.