Security testing standards council launched

The Council of Registered Ethical Security Testers (CREST) has been launched to set standards in network penetration testing and ensure companies can be confident of accurate results.

Share

The Council of Registered Ethical Security Testers (CREST) has been launched to set standards in network penetration testing and ensure companies can be confident of accurate results.

CREST has come about because many businesses and parts of the public sector felt that there were no clear standards on security testing and that businesses were receiving vastly different standards of test results.

Paul Docherty, chair at CREST, said: “Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations’ operational and technology risk management programmes.

"Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed commercial standards and practices."

The association currently has 15 members, including EDS, Ernst & Young, Deloitte & Touche and KPMG, but more members' applications are in process. Its advisory panel includes representatives from the NHS, Aviva and Lloyds TSB.

Companies are being charges a £7,000 membership fee, while individual members will be charged £1,600 to sit the CREST exam. Members who successfully pass the exam can say they are CREST certified for three years, before they need to take another up-to-date exam.

David King, head of information risk management at insurer Aviva, and an advisor to CREST, said that businesses looking for penetration testing of their infrastructure or applications could make sure their testers were CREST certified as “a way of weeding out testers who aren’t going to deliver”.

“Standardisation helps businesses to be sure the important boxes are ticked, and know that testers are qualified,” he added. “It’s especially important for global organisations who might use testers local to other areas and not be sure if their standards are comparable.”

James Wood, head of IT security at NHS Connecting for Health, said using CREST meant public sector organisations and businesses could be sure they were not “getting someone off the street who ends up crashing the system”.

Speaking on the NHS' use of testers in the £12.4 billion National Programme for IT, he said: “Security of national systems was always a high priority. CREST just adds another set of tools.”

But security is not the only concern in software testing - businesses are also worried about their software not functioning well.

Earlier in the month, a survey by testing specialist SQS Research found that 40 percent of organisations had suffered financial loss as a result of poor or no software testing.