NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

UK Penetration testing accreditation

Accreditation for penetration testing companies and individuals is set to change this year, as two new certifications are now on offer: CREST and Tiger. The long-established and well respected CHECK certification will continue to be offered by CESG.

The CESG CHECK scheme that was launched in 1999 has become accepted as the gold standard within the industry, but despite its high reputation it was only really designed for use on classified government systems and it has suffered from a shortage of fully-qualified members. The end result is that there are not enough CHECK team leaders to satisfy the demand of both government and commercial organisations - currently there are only about 70 team leaders in the country. The CHECK scheme went through a difficult patch in 2006/2007 and although new membership is still currently suspended, it has begun to run its assault courses again for existing member companies.

Both the CREST and Tiger schemes were created to fill this gap, but they are based on very different models. CREST is an industry body with about 25 members, representing most of the UK main security testing organisations, whereas Tiger consists of an operating body run by Vizuri's training arm Qbit Ltd and an examination body run by the University of Glamorgan. CREST offers both company and individual certifications, whereas Tiger focuses only on individual certification. The view within the industry is that there is only room for one of these certifications within the UK, so it is expected that ultimately one of them will become the dominant accreditation standard.

CHECK will undoubtedly remain but, assuming that at least one of CREST or Tiger succeed, it will probably become more government focused and less relevant for commercial organisations. In many ways, this is a good thing as CHECK was never meant to be a commercial accreditation and the limitations of SC clearance and British citizenship are not always relevant for commercial penetration tests.

The new accreditations will also be good news for people wanting to pursue a career in penetration testing, because many people were excluded from the CHECK scheme due to the limitations. The other qualifications such as CISSP and CEH were more tests of baseline knowledge rather than penetration testing ability. This can only be a good thing for the penetration testing industry and companies that require penetration testing as it will increase the volume of qualified testing consultants.