The security industry seems to be broadly polarised by the Attorney-General's recent announcement of the formation of CREST Australia (Council of Registered Ethical Security Testers). For those who have not kept pace with this piece of news, CREST Australia has been chartered by the AG's office to certify the competency of penetration testers within Australia. Now, I've spoken with quite a few people and I am quite surprised at the variety of responses—particularly from people I would have expected to endorse it.
Looking at it from both sides, many penetration testers have a range of concerns with the idea of any kind of certification. There is potential for a certification to test only a minimum level that may be inadequate, or a lack of rigor in the testing to ensure that it remains of a high standard. Additionally, many feel—particularly long term practitioners in this field—that it is not for non-practitioners (or individuals of lesser skill) to evaluate their competency. There are also accusations that CREST Australia will become another cash cow, monopolising penetration testers and forcing them to cough up if they want to continue operating. This leads to the question of costs associated with such certification, and who should pay for it, not to overlook perhaps the greatest concern—what is the impact on my livelihood if I refuse? Quite rightly, each of these concerns has a degree of validity, and they raise many questions that CREST Australia, in conjunction with the AG's office, will need to address.
However, it’s important to remind ourselves of the reasons we've even reached this point, I think many people forget. For a long time, there have been many hucksters and spruikers selling port scans and vulnerability assessment tools as "penetration testing".
To date there's been no common benchmark agreed to by the industry about what is the definition of a penetration test, what tools and methods will be used, and the proposed impacts and outcomes of the testing. This lack of commonality means it is very much a case of "caveat emptor". Some buyers are highly educated (banks typically lead the way) while others are not. There's also been fierce debate about the competency of individual testers, and so different organisations have constructed a variety of different tests to evaluate their competency. So, it comes as no surprise that the people most keenly aware of these issues, those facing the greatest challenge in hiring reputable penetration testers, are those most fiercely advocating this accreditation.
A good friend of mine—a management consultant, trainer and performance expert—once explained that the purpose of certification is not to ensure that those who pass are perfect, but rather, to a establish a median to which people who pass fall within a relatively narrow standard of deviation. In other words, the goal of the certification should be making sure the accreditation scheme establishes a reasonable minimum expectation of competency. However, anecdotal reports (of which there are few, owing to non-disclosure agreements surrounding the UK scheme) suggest that the test aims to put the individual against the clock, while restricting Internet access to see how they perform. But is this a suitable gauge of competency?
It's all too premature at this stage. But if CREST accreditation, as it is performed in the UK, is anything to go by, it will mean a major shakeup of the industry. Applying a tax (which is effectively what this will become via a de-facto industry standard) means that individuals and companies will need to pay it. While some have argued that they can still sell penetration testing and not be accredited, the industry will gravitate towards the standard. And while banks and government will be the first clients to demand CREST accreditation of testers, eventually so will other clients. The trend has revealed itself to be true time and time again, with multiple certification schemes both within IT and outside of it mimicking this characteristic.
Ultimately, costs will be passed on to clients. Firms which are unable to raise the money to win certification, or pass the cost on to customers will close their doors, resulting in a reduced supply of penetration testing services. Similarly, penetration testers who are selling nmaps or Nessus scans as pentests will ultimately realise they have no chance of passing and choose not to undertake the accreditation. This is especially true for small shops consisting of a one or two man operations playing across everything within IT. Truth be told, the local market for penetration testing within Australia is actually quite small already. And when you consider the impact of reducing that subset further, and the relatively small list of individuals capable of passing it, it means that increased costs and reduced supply will create a new price equilibrium. My prediction is that in the long term, this means a higher pay grade for penetration testers that pass the accreditation.
On the other hand, we all expect that our doctors, surgeons, mechanics, electricians and other tradesmen are appropriately qualified. After all, we wouldn't want someone who has never even stood in an operating theatre performing open heart surgery on a family member. Do you really trust that penetration tester to evaluate the security of your main e-commerce portal? Why? Is it wrong to expect a minimum level of skill from our own profession like we do from every other? To suggest otherwise smacks of hypocrisy.
These are all just signs of an industry that is still very much in its infancy,. It highlights just how far we all have to go. This certification can be a good thing, but the burden will ultimately rest on the participants if the certification is to e shaped into something of value.