Penetration Test - Standards and Certification

Standards and Certification

The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex-black hat hackers and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.

The Tiger Scheme is a not-for-profit scheme that offers three certifications: Associate Security Tester (AST), Qualified Security Team Member (QSTM) and Senior Security Tester (SST). The SST is technically equivalent to CHECK Team Leader and QSTM is technically equivalent to the CHECK Team Member certification. Tiger Scheme certifies the individual, not the company. The Tiger scheme also offers certification for computer forensic practitioner relating to Forensic Readiness, Scene of Crime Management, Forensic Practitioner and Malicious Software Analyst. The Tiger scheme is the only scheme in the UK that has all of its assessments accredited and quality audited by the University of Glamorgan.

The Information Assurance Certification Review Board (IACRB) manages a penetration testing certification known as the Certified Penetration Tester (CPT). The CPT requires that the exam candidate pass a traditional multiple choice exam, as well as pass a practical exam that requires the candidate to perform a penetration test against servers in a virtual machine environment.

SANS provides a wide range of computer security training arena leading to a number of SANS qualifications. In 1999, SANS founded GIAC, the Global Information Assurance Certification, which according to SANS has been undertaken by over 20,000 members to date. Three of the GIAC certifications are penetration testing specific: the GIAC Certified Penetration Tester (GPEN) certification; the GIAC Web Application Penetration Tester (GWAPT) certification; and the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification.

Offensive Security offers an Ethical Hacking certification (Offensive Security Certified Professional) - a training spin off of the BackTrack Penetration Testing distribution. The OSCP is a real-life penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. Upon completion of the course students become eligible to take a certification challenge, which has to be completed within twenty-four hours. Documentation must include procedures used and proof of successful penetration including special marker files.

Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM).

The Council of Registered Ethical Security Testers (CREST) provides three certifications: the CREST Registered Tester and two CREST Certified Tester qualifications, one for infrastructure and one for application testing.

The International Council of E-Commerce consultants certifies individuals in various e-business and information security skills. These include the Certified Ethical Hacker course, Computer Hacking Forensics Investigator program, Licensed Penetration Tester program and various other programs, which are widely available worldwide.

The mile2 organization certifies individuals in information security, particularly in penetration testing, offering a Certified Penetration Testing Engineer (CPTE) certificate. Most recently, Kevin Henry, who has authored official material for both (ISC)² and ISACA, wrote the newest edition which was published by ITGovernance.