Infosec 2008: UK association of penetration testers launched

The IT security industry has launched the first UK association of providers of penetration testing.

The IT security industry has launched the first UK association of providers of penetration testing.

Penetration testing is an established method of assuring information security, but an absence of standards and professional qualifications in the field has made it difficult for companies to find suppliers they can trust.

The Council of Registered Ethical Security Testers (Crest) now meets this need, said David King, head of information risk management at Aviva.

"Until now, end-users like Aviva have had no easy way of distinguishing good testers from bogus service providers and choosing a testing company has involved a certain amount of guesswork," he said.

Crest is the result of collaboration by 30 companies in the security industry to create a not-for-profit standards‑based organisation for penetration testers to provide assurance to end-users of the competence of member companies.

The association plans to achieve these aims by publishing and ensuring standards of service from member companies.

Crest chairman Paul Docherty said the UK was taking the lead in meeting the need for regulated and professional security testers to serve the global information security marketplace.

"We are looking to internationalise the model, which will be helped by the fact that several members of Crest are global organisations, and have already attracted some interest from overseas organisations to establish local chapters."

Crest has been running certification examinations since the start of this year and currently offers certification in infrastructure testing and web-application testing.

Standards will be reviewed every 18 months to ensure they are in step with technology developments, and members will be required to recertify annually and conform to any changes made to standards.

Read more on IT risk management