Inside Australia's CREST proposal

Commendations and critiques

SC Magazine Australia has spoken to more than a dozen seasoned penetration testers about the CREST initiative and found most in support. They say it has the potential to stomp out some of the basement traders and will demystify the penetration testing industry for customers.

MacGibbon says those cheap and simple pen tests have a place, but not with big businesses. “When you buy a vehicle, you have a wide choice, and you basically know what you are getting. That’s not the same in security. But the cheap and cheerful car has its place and it’s the same in security.”

The CREST certificate will also help forge a career path for university students into the penetration testing industry. “Students and others will have a career path that’s going to help them get into the industry and learn the right skills,” Alcorn says. In the same vein, CREST could help address information security skills shortages in both Australia and New Zealand, McKitrick says. “There is a skills shortage and that would allow us to import talent, and we would know without necessarily going through the entire interview that they are up to scratch.”

Both CREST chapters have said they intend to keep fees as low as possible while ensuring the non-profit companies are sustainable.

Critics – experienced testers who requested anonymity – say the standard is irrelevant to those who have the experience and reputation with the same customers CREST aims to serve. To them, CREST is a cost. But they have reserved further opinion until details emerge later. “We know our stuff already and don’t need a certificate to tell us or our clients that,” one pen testing director said. Indeed, many claimed to enjoy repeat business from clients which they say CREST would not affect. Others were concerned about how it may affect doing business in New Zealand.

Wil Allsopp, principal consultant with Verizon Business and a veteran penetration tester, says the abilities of a pen tester is best learnt by reading their CV. “My opinion is that certs for pen testing are pretty worthless all round for experienced testers; you should be able to look at someone's CV and within a short time interviewing them have a pretty good idea of where they are.”

Allsopp has taken the CHECK test, equivalent to senior CREST infrastructure certificate and run by CREST in Britain. His criticisms came despite having hired and been hired based on the certificate. His criticisms about the technical relevance of the exam are shared by others contacted by SC Magazine Australia.

“CREST … assumes that pen testing is a single discipline that can be baseline evaluated,” he says. “It isn't and you can't. To be a good pen tester takes time and experience because you need a very broad knowledge of operating systems, databases, languages and so on.” That broad experience doesn’t translate well in an exam, Allsopp says, arguing that a question asking ‘what stored procedure would you use to compromise an MS SQL 2005 server’ is unfair when examiners accept only one answer (xp_cmdshell) of dozens.

Copyright © SC Magazine, Australia