NTA Monitor

Latest News

IT Managers get to grips with Internet security issues

4th May 2010 According to NTA Monitor's 2010 Annual Security Report, the average number of Internet security vulnerabilities afflicting organisations has fallen.. Read More

Will IE6 be the next NT4?

1st October 2009 All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event. Read More

One in four web applications susceptible to high risk security flaws

7th September 2009 NTA Monitor has reported a 10% increase in the total number of web applications found to have at least one high-risk security issue... Read More

Organisations facing a changing threat landscape

20th July 2009 According to NTA Monitor's 2009 Annual Security Report, the average number of Internet security vulnerabilities is on the rise... Read More

UK Penetration testing accreditation

Accreditation for penetration testing companies and individuals is set to change this year, as two new certifications are now on offer: CREST and Tiger. The long-established and well respected CHECK certification will continue to be offered by CESG.

The CESG CHECK scheme that was launched in 1999 has become accepted as the gold standard within the industry, but despite its high reputation it was only really designed for use on classified government systems and it has suffered from a shortage of fully-qualified members. The end result is that there are not enough CHECK team leaders to satisfy the demand of both government and commercial organisations - currently there are only about 70 team leaders in the country. The CHECK scheme went through a difficult patch in 2006/2007 and although new membership is still currently suspended, it has begun to run its assault courses again for existing member companies.

Both the CREST and Tiger schemes were created to fill this gap, but they are based on very different models. CREST is an industry body with about 25 members, representing most of the UK main security testing organisations, whereas Tiger consists of an operating body run by Vizuri's training arm Qbit Ltd and an examination body run by the University of Glamorgan. CREST offers both company and individual certifications, whereas Tiger focuses only on individual certification. The view within the industry is that there is only room for one of these certifications within the UK, so it is expected that ultimately one of them will become the dominant accreditation standard.

CHECK will undoubtedly remain but, assuming that at least one of CREST or Tiger succeed, it will probably become more government focused and less relevant for commercial organisations. In many ways, this is a good thing as CHECK was never meant to be a commercial accreditation and the limitations of SC clearance and British citizenship are not always relevant for commercial penetration tests.

The new accreditations will also be good news for people wanting to pursue a career in penetration testing, because many people were excluded from the CHECK scheme due to the limitations. The other qualifications such as CISSP and CEH were more tests of baseline knowledge rather than penetration testing ability. This can only be a good thing for the penetration testing industry and companies that require penetration testing as it will increase the volume of qualified testing consultants.