From next month organisations and individuals that provide security penetration testing services will be subject to an accreditation process.

The scheme, being run by trade association the Council of Registered Ethical Security Testers (Crest) is designed to provide firms with greater confidence when they appoint third parties to perform ethical hacking to identify system weaknesses.

Crest will certify that penetration testers meet minimum standards of ethics, methodologies and technical capabilities, and wants to outlaw vendors that prey on businesses’ lack of knowledge about what a comprehensive security test involves.

‘The lines are unclear as to what constitutes security assessment and people need to be presented with a holistic standard,’ said Paul Docherty, who sits on Crest’s operational management committee.

The committee says demand has been high from the penetration industry and its customers.

‘The fact that we already have firms who are clamouring to become members because businesses are demanding our accreditation shows the customer demand for this standard,’ said the committee’s Paul Vlissidis.

The individuals creating the original assessments were also involved in setting up Check, a very similar scheme that only applies to the government sector.

Mark Raeburn, another member of the committee, says the assessments themselves will be as rigorous as Check.

‘Each candidate will not only have to run the correct tools to test security, but explain why they are running certain tools and what those tools are doing to demonstrate a rounded knowledge of the issues,’ he said.

But Nick Bleech, information security director at engineering giant Rolls-Royce, says businesses could still have trust concerns.

‘At present I rely on companies that ensure their people have been through the government-run Check scheme, because this tells me that a tester has been subject to a level of vetting or background checking and an independent test of skills,’ he said.

‘There are a lot of problems about doing background checks outside the government context, companies might not be interested in a ‘new’ certification which says, in effect, “trust us, we self-certify against some company-defined code of practice”.’

The Crest committee members say they have sought extensive consultation with the organisations they will be testing, and ongoing relationships will ensure the standard remains appropriate to the threat environment.

Crest has established an industry advisory panel of key user organisations.

Carrie Hartnell, programme manager at Intellect, believes users will support the scheme if it liases with the industry.

‘Intellect believes companies could support a non-government scheme, especially if it avoids the market of testers being fragmented into non-government and government sectors,’ said Hartnell.

‘The key is continued liaison with their employers to ensure standards remain relevant.’