Re: Licensed Penetration Tester LPT

From: Pete Herzog <lists@xxxxxxxxxx>
Date: Fri, 21 Apr 2006 10:08:37 +0200

Hi,

Ability really does matter and is tough to measure. But possible.

Disclaimer: I work for ISECOM. I wanted to point out that with all this talk about ability over certification, that this is exactly the problem ISECOM addresses with the OPST and OPSA. Both courses focus on the ability-- applied knowledge- required for those in security testing and security analysis. Ability is such a major part of the certification that the test-taker can use books, notes, and the internet as resources during the exam. While neither the OPST nor the OPSA is specifically for penetration testing (for example it is more about recognizing and verifying a security problem than about tools or writing exploits which is something many pen-testers like to focus on) the one thing that makes it really different is that the certification does actually measure ability under time pressure. This is why it's so popular with certain industries and government institutions as a vetting tool for new hires and promotions because at the very least, they know from the exam transcript the skill strengths and weaknesses of the candidate for the basic requirements.

You can read up more on both at www.opst.org and www.opsa.org if you'd like.

FYI, we've noticed some scary patterns in what areas the majority fails to be able to do correctly and what people claim to do or have experience in. Interestingly, those who label themselves working as penetration testers or ethical hackers often make the mistake of not understanding how the tools actually work (for example what type of responses are needed for the tool to function correctly and how to verify it). Or they trust their tools too much (for example labeling a system as OpenBSD because NMAP fingerprinting says it is even though all the additional information one can find about the system clearly shows it cannot be). We see this pattern in both the OPST and OPSA. This inevitably causes problems on the exam for them from the initial logistics (checking the network parameters before starting the test) and right through to verifying if a problem (vulnerability) exists or is a false positive. I can only imagine how badly they screw up real-world audits where situations can get more odd or more complex than the scenarios they may encounter in the exams.

Anyway, I really think we're not ready yet to start "licensing" professionals. However, once the average pen tester begins working in areas that affect the safety of living things both directly and indirectly, we will need to consider a form of licensed practitioner.

Sincerely,
-pete.

James Boomer wrote:

I couldn't agree with you more. But if someone has the knowledge and the
know how then taking the exam won't hurt a bit. But I completely agree with
you 100% as I myself own a Security Consulting Firm and have run into the
same problem. You need to Know the practical side and the real life side and
finding good people who do and keep current on it is always a challnge.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------

References:
- RE: Licensed Penetration Tester LPT
  - From: James Boomer

Prev by Date: Live Linux Distro
Next by Date: Re: nmap and icmp-replies
Previous by thread: RE: Licensed Penetration Tester LPT
Next by thread: Re: Licensed Penetration Tester LPT
Index(es):
- Date
- Thread

Relevant Pages

Re: CISSP
... There are certifications and there are certifications. ... certifications where one memorizes security trivia and regurgitates it on ... I'm saying this because at ISECOM we have been an authority for applied ... pass an exam against a live network. ...
(Pen-Test)
RE: Value of certifications
... I took a 40 hour CCNA course before taking the exam. ... Through the years, I've touched on security in various fashion, and the ... law issues in the case of forensics, but we have a law department that ... So, to summarize, from a knowledge aspect: Some certs = good (you can ...
(Security-Basics)
Re: exam 70-330.
... >which one will see me through the exam. ... Applications with Microsoft Visual Basic .NET and Microsoft ... security and security with reference to Forms Authentication ... initialization vector to the stream. ...
(microsoft.public.cert.exam.mcsd)
#70-299
... Microsoft Windows Server 2003 Network< ... Be sure to check out the Preparation Guide for Exam 70-299 ... lot of the same material is tested...only with a security ...
(microsoft.public.cert.exam.mcse)
Re: Advise on next exam ????
... There is the entire book of Improving Web Application security for free ... As a lot of it doesn't completely relate to the exam, ... I don't really know of any quick online refreshers, ... Microsoft Certified Solution Developer ...
(microsoft.public.cert.exam.mcsd)