Penetration Testing mailing list archives
Re: CREST or TIGER?
From: cwright () bdosyd com au
Date: 20 Oct 2007 21:23:02 -0000
Hi Danny et. al., One of the main points that I am trying to convey is that we should not be distinguishing and/or classifying ourselves quite so readily. In your post you are effectively making a clear distinction between them and us. Them, being HR, business groups and non-IT people in general. The us being a cadre of IT specialists. You talk of an effective measuring system. This is achievable for an individual task. The issue however is that each organisation will vary both in its risk appetite, its competency and its focus. The difficulty is in finding which metric would then suit which organisation. This would be compounded further as technology changes, the company changes in the systems and processes change. More importantly, it only covers one leg of the three apexes of security. The commonly overlooked areas of people and processes come second in this view. It leads to a projection that information security technical people are solely responsible and capable in mitigating information risk. The difficulty on this point is that many technically adept penetration testers fail to understand business rules. The result is that they concentrate on system vulnerabilities and technical failures to the exclusion of what is often much simpler to bypass. As for my own, all I have completed still fails as proof. To give an example, I am now a pointy haired manager, Corp, suit or any other term that you may wish to apply. As a consequence, many people will not take what I say seriously. There are those who believe that external factors (such as wearing a T-shirt) add to credibility. Actions speak louder than words. What certification will do is give you an opportunity to prove yourself. This is when your actions have to speak. After you get past HR, when the client has selected you for the job or whatever other initial gate has been passed as a result of the certification then comes to your actions. So the certification can be an enabler. I do agree that they dont prove skills in many cases, but if you can get through the first gate you dont get to prove anything. Regards, Craig _____ In Reply to ____ Hi Craig, look like you misinterpreted most of what I said or somehow, I did not explain myself enough clearly. So let me rephrase. "penetration1_googlemail.com" talked about being taken seriously and I was arguing that certification and studies was not what I use to make an opinion on competency level among security professional. I never said it was crap. My own experiences prove certifications/studies were absolutely not a perfect match with people competency. In your case, the hole thing (publications, books, certifications, etc) would prove to anyone you have large and proven competency. Your case is quite different from the one who only did one or two certs and nothing else really related to security. As I said, I found certifications and studies really useful when dealing with external people. It's not a perfect and/or always fare system but it do help external people unable to measure themselves security professional competency (clients, RH, etc). I guess a better system would have to be free and complex while covering every aspect of security professional abilities in order to be a really effective measurement program. But I doubt this could ever be done. Everything I said was without any pretension and signed has being my own opinion. Still, for all those reason, my opinion does not change. My only hope is to make the latest understood correctly. --- Danny Fullerton Founder Mantor Organization ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- CREST or TIGER? EH (Oct 18)
- Re: CREST or TIGER? Danny Fullerton (Oct 19)
- RE: CREST or TIGER? Shenk, Jerry A (Oct 19)
- Re: CREST or TIGER? mamo (Oct 21)
- Re: CREST or TIGER? Rory McCune (Oct 21)
- <Possible follow-ups>
- Re: Re: CREST or TIGER? cwright (Oct 19)
- Re: Re: Re: CREST or TIGER? cwright (Oct 19)
- Re: CREST or TIGER? Danny Fullerton (Oct 20)
- Re: CREST or TIGER? cwright (Oct 20)
- RE: CREST or TIGER? Paul J Docherty (Oct 23)
- Re: CREST or TIGER? Danny Fullerton (Oct 19)