The IT security industry has launched the first UK
association of providers ofpenetration testing.
Penetration testing is an established method of assuring
information security, but an absence of standards and
professional qualifications in the field has made it difficult for
companies to find suppliers they can trust.
The Council of Registered Ethical Security Testers (Crest) now
meets this need, said David King, head of information risk
management at Aviva.
"Until now, end-users like Aviva have had no easy way of
distinguishing good testers from bogus service providers and
choosing a testing company has involved a certain amount of
guesswork," he said.
Crest is the result of collaboration by 30 companies in the
security industry to create a not-for-profit standards‑based
organisation for penetration testers to provide assurance to
end-users of the competence of member companies.
The association plans to achieve these aims by publishing and
ensuring standards of service from member companies.
Crest chairman Paul Docherty said the UK was taking the lead in
meeting the need for regulated and professional security testers to
serve the global
information security marketplace.
"We are looking to internationalise the model, which will be
helped by the fact that several members of Crest are global
organisations, and have already attracted some interest from
overseas organisations to establish local chapters."
Crest has been running certification examinations since the
start of this year and currently offers certification in
infrastructure testing and web-application testing.
Standards will be reviewed every 18 months to ensure they are in
step with technology developments, and members will be required to
recertify annually and conform to any changes made to
standards.