Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
Pen testers are the people who hack into websites or systems connected to the internet to test whether they have been securely designed and implemented. Pen test is short for penetration testing and nothing to do with making sure ink flows when required from writing implements.
Penetration testing is something that should be done regularly with any website that processes personal information in order to be confident that reasonable security is being provided.
When choosing someone to do this testing, you should look to see that they are using appropriate standards or guidance such as that provided by the Open Web Application Security Project, otherwise known as OWASP. But this does not tell you anything about how well they conduct the work.
A new credential in the area of pen testing is CREST (Council of Registered Ethical Security Testers). CREST Certification requires experience, and tests for competency.
For an audit to be CREST certified it must be led by a CREST certified person. CREST also includes a code of conduct which governs how testing assignments are handled. So it serves as an assurance of quality of this work.
CREST was started in Britain and is now being supported in Australasia. Its adoption in New Zealand is being supported by the New Zealand Internet Task Force (NZITF) The members of NZITF are the security/policy/IT/Telecoms technical people who keep the infrastructure of the internet in New Zealand sort of safe so you can watch videos of cute kitties (if that is what you like to do).
I use the term ‘sort of safe’ because that is the best we can actually do in any part of our lives - which is why we need to remain alert, even on the internet (check out Netsafe’s good advice on this topic here).
Not having a CREST credential does not mean someone offering pen testing will not do a good job but I think this best practice industry certification should be requested by anyone hiring pen testers. That way you will get an industry recognised assurance that their security meets a ‘reasonable security’ test or standard.
Back
