Pen testers' regulatory body launched
The Council of Registered Ethical Security Testers (CREST) was formally launched today (Wednesday) at the Infosecurity Europe expo in London. Born of the recognition that there was no assurance framework for security services providers in the private sector analogous to the government CHECK scheme, CREST was initiated in early 2007 to provide a "kite mark" for security testers serving commerce and industry.
Consultation with security testing professionals revealed that there were at that time no defined standards or formal tests of competence. Around 30 specialist companies therefore pooled resources to develop a framework of standards and examinations that would serve as a common criterion of competence for both companies and individuals. Processes were then developed to support the framework. The initiative is well supported in government circles. The examinations have been accepted as comparable with CHECK lead auditor qualifications – to the extent that a pass in the CREST exam qualifies the recipient, as if under CHECK, to work on government projects.
The consortium went live in early 2008 as a not-for-profit organisation offering technical examinations for individuals and an assurance framework for companies to apply to validating their staff on commercial and ethical criteria. Two tracks of examinations for individuals are currently offered: infrastructure testing and application testing with an emphasis on web applications. The examinations are in three parts: a black box practical, a multiple choice theory paper drawn from a large pool and a discursive answer theory paper. The latter, although currently unusual in technical examinations, was included specifically to validate the communication skills of candidates, as this is seen as a critical component of the consultancy rôle. So far the examinations have elicited a very positive response from candidates, including from some who have failed the exam. Traceability is a key component of the examination system. Mark Raeburn, chairman of operations, informed heise online that the audit trail of each candidate's practical test is retained on archive while they remain qualified. The examination is regularly updated and must be retaken at intervals, currently every three years at a cost of £1600 per sitting.
The assurance framework provides standards and a methodology for companies to validate their staff against the commercial and ethical aspects of the software testing rôle. CREST does not, and has no intention to, validate the backgrounds of individual candidates beyond employing normal rigour to prevent examination fraud. Chairman Paul Docherty told heise online that the organisation sees staff vetting to the required standards as one of the indicators of a company's capacity to deliver consultancy.
Membership is open to companies offering security testing services that are prepared to implement the assurance framework, currently at a cost of £7,000 per annum regardless of company size. Seventeen medium to large consultancies have already signed up. Individual membership is not available as a separate category, but those who have passed the exam are allowed to publicly declare it as a qualification. There is however an "associate" category for those who have passed the exam but are not employed by a CREST member company. In response to a query by heise online as to whether this purely corporate emphasis to membership might not tend to stratify the profession to the disadvantage of small consultancies, Mark Raeburn, chairman of operations, responded that, as implementing the framework is an essential part of the validation requirement, there can be no distinction based on the size of the company. He accepted that the burden on smaller consultancies would be higher, but, asked whether this might lead to corner-cutting, responded that there is little chance of fraudulent or inadequate implementation of the framework due to its standards-based approach, and in addition the organisation has an audit remit where an application for membership rings too many warning bells in the first round assessment.
So far only a few tens of individuals have taken the examinations, and a pass rate of 50-55 per cent is evident. Paul Docherty categorically stated that the examinations are set against standards and the pass rate is not in any sense a target criterion. It remains to be seen how this strategy, valid as it is from the standards perspective, fares in comparison to existing high pass rate boot-camp oriented infosec certifications.
See also from InfoSec:
- UK government security survey - situation improving?
- 13th Infosecurity Europe show off to a cracking start