Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

This kind of pen tester doesn't test pens Neil Sanson
22 December 2014

crest image for Neils blog

Pen testers are the people who hack into websites or systems connected to the internet to test whether they have been securely designed and implemented. Pen test is short for penetration testing and nothing to do with making sure ink flows when required from writing implements.

Penetration testing is something that should be done regularly with any website that processes personal information in order to be confident that reasonable security is being provided.

When choosing someone to do this testing, you should look to see that they are using appropriate standards or guidance such as that provided by the Open Web Application Security Project, otherwise known as OWASP. But this does not tell you anything about how well they conduct the work.

A new credential in the area of pen testing is CREST (Council of Registered Ethical Security Testers). CREST Certification requires experience, and tests for competency.

For an audit to be CREST certified it must be led by a CREST certified person. CREST also includes a code of conduct which governs how testing assignments are handled. So it serves as an assurance of quality of this work.

CREST was started in Britain and is now being supported in Australasia. Its adoption in New Zealand is being supported by the New Zealand Internet Task Force (NZITF) The members of NZITF are the security/policy/IT/Telecoms technical people who keep the infrastructure of the internet in New Zealand sort of safe so you can watch videos of cute kitties (if that is what you like to do).

I use the term ‘sort of safe’ because that is the best we can actually do in any part of our lives - which is why we need to remain alert, even on the internet (check out Netsafe’s good advice on this topic here).

Not having a CREST credential does not mean someone offering pen testing will not do a good job but I think this best practice industry certification should be requested by anyone hiring pen testers. That way you will get an industry recognised assurance that their security meets a ‘reasonable security’ test or standard.

 

1 comments

,

Back

Comments

  • Hello @ Neil Sanson for your this valuable article post to the privacy.org.nz website.

    Here in this article you have nicely described about CREST. It was started in Britain and is now being supported in Australasia. Pen Tester or Penetration Tester are not doing well hacking security by following the rules and regulations of these Open Web Application Security Project (OWASP). Really helpful to me knowing about CREST .
    So far It is a good and ethical hacking site and will help you a lot .This is United America based site.

    Ethical hacking site all check it out: http://hackerslist.co Hire a Professional Hacker for your infected site.

    Posted by Mark Klinger, 28/03/2016 12:37am (17 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries