It may come as a surprise to some that setting clear and agreed standards for cyber security testing is not a common practice in most countries.
In fact the UK has lead the way for many years through the Council for Registered Security Testers (CREST), which has sought to establish quality standards and regulatory procedures to maintain a professional - and trusted - security testing industry.
Recently attitudes in the worldwide security testing industry have started to change and some countries have begun to introduce accreditation schemes. The USA has established security testing guidelines along similar lines to CREST GB and in March 2012 Australian Attorney General Nicola Roxon announced the formation of an Australian branch of CREST.
Interestingly, there has been a mixed reception by industry commentators and experts to the Australian announcement. Some have welcomed the accreditation process as it means businesses can be assured that qualified IT professionals will be carrying out security testing. While others have raised a range of concerns from increased costs to squeezing the ‘creative’ IT testers out from the industry and that levels of testing may be inadequate, or not rigorous enough, or not cover the latest issues affecting the cyber industry, such as Near Field Communication (NFC).
However the concerns raised don’t address why there is a need to have a common benchmark that security testers can work to. An agreed set of standards prevents the debate about the competency of individual testers and sets a single standard that testers can be judged against. It also clarifies and defines what a penetration test is, what the outcomes will be, how the test will be carried out and the methods and tools that testers will use.
This is important for businesses and organisations. They need to know they can trust the penetration tester, who has been given access to sensitive and commercially valuable information and systems, and that they will perform with skill, integrity and accountability. It is our duty therefore to make sure we deliver the very best possible service across the whole of the security testing industry.
Roy Hills has been heavily involved in setting the CREST GB’s standards, guidelines and pen testing training. He is now working with CREST Australia to establish their accreditation scheme.