Penetration Testing mailing list archives
Re: CREST or TIGER?
From: "Rory McCune" <rorym.forums () gmail com>
Date: Sun, 21 Oct 2007 14:20:24 +0100
Hi,
From what I understand of CREST, it's not actually intended as a
certification for individual Penetration Testers, but one for Penetration Testing companies. Essentially it's intended as a expansion of the UK government CHECK scheme for certifying penetration testing companies/individuals, but more applicable to private companies rather than purely government organisations. I've spoken to several Penetration testing companies and most of them are involved in CREST in some way or another, as such it's got a fair bit of momentum going, although it's taken quite a bit longer than expected to get everything set up. I'll wait to see what the quality of the exams are when they come out. Tiger on the other hand, I've not heard anything about from Pen testing companies at all, and there doesn't seem to be any information about specific industry backers on the site... As to grandfathering, I know it's an inevitable part of setting up a certification but t.b.h I'm not that impressed by requiring either CEH or an MSc. CEH as it doesn't seem to be hugely well regarded, and MSc because it's not exactly directly relevant to Penetration testing! cheers Rory On 10/17/07, EH <penetration1 () googlemail com> wrote:
All, I would value your opinion. I am trying to make a comparison between the 'new kids on the block' in terms of pen tester accreditation here in the UK, CREST and TIGERScheme, for my organisation. So far I've come up with the following information. CREST TIGER An existing examination No Yes Independent of suppliers No Yes End user driven No Yes Not for profit Yes? Yes Applicable to Individuals Yes? Yes Company standards Yes Yes (CCTM) Career path Yes? Yes University standard No Yes It seems that the TIGER Scheme www.tigerscheme.org is fully up and running and accrediting individuals already plus it is a University based examination which CREST www.crest-approved.org is not. I see from the CREST website that they are in support of the often maligned multiple guess CEH examination and will 'grandfather' individuals into the 'CREST approved' scheme if they have CEH. Now I am a CEH [amongst other things I hasten to add] and I sat the exam in early 2003. It was taken reasonably seriously then but it seems that the pen test communities opinion of the cert has deprecated somewhat over time ... so is CREST a re-branded EC-COUNCIL? If so will they go the same way? To grandfather into TIGER at the lowest level of certification you need an approved MSc in Computer Security. Basically any certs I recommend for my organisation I want to be taken seriously now and in future. I am heavily leaning towards TIGER. Your thoughts? Thanks in advance. EH ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- CREST or TIGER? EH (Oct 18)
- Re: CREST or TIGER? Danny Fullerton (Oct 19)
- RE: CREST or TIGER? Shenk, Jerry A (Oct 19)
- Re: CREST or TIGER? mamo (Oct 21)
- Re: CREST or TIGER? Rory McCune (Oct 21)
- <Possible follow-ups>
- Re: Re: CREST or TIGER? cwright (Oct 19)
- Re: Re: Re: CREST or TIGER? cwright (Oct 19)
- Re: CREST or TIGER? Danny Fullerton (Oct 20)
- Re: CREST or TIGER? cwright (Oct 20)
- RE: CREST or TIGER? Paul J Docherty (Oct 23)
- Re: CREST or TIGER? Danny Fullerton (Oct 19)