Penetration Testing mailing list archives

RE: CREST or TIGER?

From: "Paul J Docherty" <PJD () portcullis-security com>
Date: Mon, 22 Oct 2007 07:00:35 +0100
EH, 
  
I came across your mail asking for opinions on the TigerScheme verses CREST certifications.  Before I comment I feel I 
should declare my hand by saying that my organisation is involved in and fully supports CREST. 
  
I was interested to note your table and the conclusions you have arrived at regarding the attributes of both schemes.  
Can I suggest that one or two of the conclusions are perhaps as a result of misunderstanding, or a lack of clarity in 
the available information. 
 
CREST is OPEN for examinations having already run its Alpha and Beta test programs. Moreover, there are two sets of 
examinations available; one which covers Infrastructure and one covering Applications, not to mention the core module 
which is required regardless of which stream is taken. I understand from their website that the Tigerscheme is only 
offering Infrastructure exams.   
  
CREST is indeed an industry body with the aim of improving the level of demonstrable standards, but has a growing 
advisory panel made up of the highest volume consumers (from both the public and private sectors) of these services who 
provide advice and direction to CREST to ensure that the standard is high and appropriate for their needs. In addition, 
the IAP ensures CREST remains current as new technologies emerge. 
  
As you may notice from the Members page of the website, CREST is supported by many of the key players in the security 
testing market. 
 
The CREST process has been designed to ensure that CREST member companies have clear demonstrable standards that they 
provide a quality test to the end user community. 
 
As noted on the first line of the front page on the CREST website, CREST is a not-for-profit, wholly independent 
organisation. 
  
As you rightly point out, both schemes do cater for individuals, however the CREST Standards also have stringent 
processes for accepting organisations as members.  Your email suggests that Tigerscheme also do this through the CCTM, 
I feel it prudent to point out that the CCTM is a totally separate scheme from Tigerscheme and is run by CSIA. I quote 
from the CCTM web site; "Vendors register to have their product or service tested against their marketing claims."  The 
CCTM is also quite a costly process with average costs quoted being circa £20,000+. 
   
Career path is indeed provided for in both schemes. Again, as you point out, low level examinations do not carry much 
weight within what is a deeply technical specialism.  The CREST examinations therefore provide a significant test of an 
individual's ability - considerably greater than currently exists within the industry. It therefore represents a 
difficult but achievable goal for penetration testers. 
  
The conclusion regarding the CEH is probably the result of misunderstanding the information on the website.  CREST does 
not 'support' or endorse CEH and the site has been changed to clarify this, and make the information about the 
membership levels easier to digest.  We thank you for bringing this lack of clarity to our attention. 
  
Regards 
  
Paul Docherty

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of EH
Sent: 17 October 2007 12:26
To: pen-test () securityfocus com
Subject: CREST or TIGER?

All, I would value your opinion.  I am trying to make a comparison
between the 'new kids on the block' in terms of pen tester
accreditation here in the UK, CREST and TIGERScheme,  for my
organisation.  So far I've come up with the following information.

                                      CREST            TIGER
An existing examination      No                  Yes
Independent of suppliers      No                  Yes
End user driven                   No                  Yes
Not for profit                       Yes?               Yes
Applicable to Individuals      Yes?              Yes
Company standards            Yes               Yes (CCTM)
Career path                        Yes?              Yes
University standard              No                Yes
It seems that the TIGER Scheme www.tigerscheme.org is fully up and
running and accrediting individuals already plus it is a University
based examination which CREST www.crest-approved.org is not.

I see from the CREST website that they are in support of the often
maligned multiple guess CEH examination and will 'grandfather'
individuals into the 'CREST approved' scheme if they have CEH.  Now I
am a CEH [amongst other things I hasten to add] and I sat the exam in
early 2003.  It was taken reasonably seriously then but it seems that
the pen test communities opinion of the cert has deprecated somewhat
over time ... so is CREST a re-branded EC-COUNCIL?  If so will they go
the same way?

To grandfather into TIGER at the lowest level of certification you
need an approved MSc in Computer Security.  Basically any certs I
recommend for my organisation I want to be taken seriously now and in
future. I am heavily leaning towards TIGER.

Your thoughts?

Thanks in advance.

EH

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.488 / Virus Database: 269.15.0/1076 - Release Date: 17/10/2007 19:53



###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
The Grange Barn, Pikes End, Pinner, MIDDX, 
United Kingdom, HA5 2EX. 
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Current thread:

CREST or TIGER? EH (Oct 18)
- Re: CREST or TIGER? Danny Fullerton (Oct 19)
  - RE: CREST or TIGER? Shenk, Jerry A (Oct 19)
  - Re: CREST or TIGER? mamo (Oct 21)
- Re: CREST or TIGER? Rory McCune (Oct 21)
- <Possible follow-ups>
- Re: Re: CREST or TIGER? cwright (Oct 19)
- Re: Re: Re: CREST or TIGER? cwright (Oct 19)
  - Re: CREST or TIGER? Danny Fullerton (Oct 20)
- Re: CREST or TIGER? cwright (Oct 20)
- RE: CREST or TIGER? Paul J Docherty (Oct 23)