Penetration testing used to be perceived as black magic, as for many years even most experienced IT security practitioners viewed the process as highly aggressive and patently specialized; the domain of a chosen few professionals with a scarcely defined bag of tricks that allowed them to carry out their precarious work.
Thankfully much of that perception has changed in recent years, as, driven by the threat landscape and numerous IT security mandates, proactive exploit-based testing has at long last been elevated to the ranks of operational best practices. Finally people have embraced the concept that in order to understand precisely where their organizations are most vulnerable to real-world attacks they must first be willing to probe those weaknesses for themselves.
Today, that long evolution is taking another significant step forward, as we see the rise of more comprehensive, clearly defined certifications for penetration testers to conform to, and through which to understand precisely what skills are considered necessary for them to go to work as professionals across both the public and private sectors.
Specifically, the recent creation of the National Board of Information Security Examiners (NBISE) here in the United States, and the group’s backing of the pen testing certification guidelines established by the Council of Registered Ethical Security Testers (or CREST), represents a vital shift in the certification environment.
CREST, which was launched in response to the need for regulated and professional security testers to serve the global information security community, has been a huge hit overseas, most notably in the United Kingdom. A new partnership between the NBISE and the CREST Examination body will now streamline certification for penetration testers here across the pond.
Why is this movement so important?
Those of us who were self-taught pen testers traditionally had to come to grips with not only our souls as white hats but also had to strive to legitimize our field. Penetration testing was finally formally defined as a practice two years ago by NIST-- lending credibility to our science, but not necessarily to our specific training and skill set.
This left major questions in terms of translating process into profession. Who would be considered qualified to conduct formal penetration tests? What certifications mattered most to gain that status?
Just as the medical profession we needed internationally recognized standards for our craft, for only through such an initiative can we be legitimized as essential members of the risk management community at large.
Now, under the leadership of Mike Assante – former CSO for the North American Electric Reliability Corporation (NERC), the NBISE’s first pilot is underway and therein the most significant effort to date aimed at certifying U.S.-based penetration testers as legitimate internationally recognized professionals.
I fully support the NBISE's endeavor and would recommend that if you are, or ever wanted to be a pen testing pro, you should join the pilot program which is to be undertaken this autumn across the nation.
For more information, please click HERE.
--Tom Kellermann, Vice President of Security Awareness