CREST, OSCP, CEH… Should you require certifications from your pentest providers? To select a pentest provider, security certifications are obviously useful although they cannot be the only way to assess the value of a service and the skill level of pentesters. There are other aspects that should be considered too. Another related topic is the recognition of the pentest value and the certificates that you may be able to show to your customers.
Doing a penetration test with a certified provider
Doing a pentest with a company owning recognised certifications is interesting for you (as a company) and for your clients and partners (with whom the security reports can be shared).
Some of the security certifications apply to the pentest provider company, others apply to the security auditors working in the pentest provider company.
Security certifications for penetration testing companies
Companies can be certified in penetration testing. Although this is not mandatory for delivering pentests (et being good at it) owning a specific certification in penetration testing proves that the company’s processes have been assessed by an independent third party. Furthermore, companies can get security labels to prove that the security of their IS and their data meets national or international standards.
However it should also be known that some small and highly skilled companies have little time and resources to spend on certification processes while other companies having less experience in pentest may have more resources to spend on certification processes.
International label for pentest companies: CREST
CREST offers the most internationally recognised labels for companies performing technical cybersecurity services.
CREST is an independent accreditation and certification body that represents and supports the technical information security market (penetration testing, cyber incident response, threat intelligence and SOC services). Being CREST approved for pentest is required by companies of many countries when selecting a pentest provider, as it shows that the provider has successfully passed a rigorous assessment of its business processes, data security and security testing methodologies.
Please note that some other labels for pentest companies are specific to national markets. For instance PASSI is the most recognized label in France as it is delivered by the national agency for information system security.
Cybersecurity labels for businesses: ISO27001 & SOC2
ISO27001 is an international standard for all types of companies that want to prove their commitment to cybersecurity and data protection.
ISO27001 applies to the information security management system. It is a widely known and comprehensive standard covering all areas of cybersecurity. It should be noted that this standard does not specifically apply to pentesting services so it does not require an assessment of security testing methodologies. Instead it proves that a company is compliant regarding its internal security policy and processes.
SOC2 is a procedure for service providers that want to prove their commitment to the privacy of their clients. It is based on 5 principles: security, availability, processing integrity, confidentiality and privacy. SOC2 compliance is a must have for SaaS providers targeting the US market. It does not specifically apply to penetration testing services. For software companies, there are also other security certifications that are internationally recognized, such as Common Criteria. For IT services companies, there are plenty of labels according to the specific technical areas (security incident detection, cloud service providers, payment solutions, etc).
Security certifications for pen testers
Apart from the certifications owned by pentest companies, other certifications can be owned by pentest professionals (individuals). Certifications for pentesters are individual however pentest companies can encourage their employees to get certified by purchasing preparatory courses and/or granting specific time to prepare exams.
Please note that certifications are certainly not the only criteria to know the level of expertise of a pentester. Indeed some junior security auditors or even some security students can obtain a OSCP or CEH certification, while some senior pentesters own no certification at all. Nevertheless, working with certified pentesters means ensuring that some of their skills have been validated by an independent third party.
Certifications for professional pentester: CEH and OSCP
CEH (Certified Ethical Hacker) and OSCP (Offensive Security Certified Professional) are the two mostly popular and internationally recognised certifications for professional pentesters (or ethical hackers).
These two certifications differ in terms of content and assessment processes, but their purpose is to validate a level of knowledge and skills in ethical hacking / offensive security. CEH and OSCP are frequently put forward by pentesting companies to promote the skills of their consultants to their customers.
Certifications related to specific types of pentest (web pentest, social engineering pentest…)
Some other certifications for pentesters are more specific to certain types of penetration tests.
For web application pentesting, there are GWAPT, eWPT and OSWE. These certifications are exclusively focused on the types of flaws and offensive techniques specific to the web. Indeed, web application penetration testing requires a very different approach and skills from infrastructure and network penetration testing. If security auditors do not have these certifications, it is useful to look at whether they have web development skills. Indeed, combining web development experience with pentesting experience is even more credible and competent than having prepared a certification without having a technical background in web technologies.
For social engineering pentesting, there is a specific certification: SEPP. This one is exclusively focused on social engineering techniques, allowing to test the human factors of cybersecurity. However, as this certification is not very widespread, it is interesting to focus more on the experience of the auditors in this field and the ability of the pentest provider to propose a relevant approach for this type of audit.
Certifications related to specific technologies
Although they are not specific to security and pentesting, certifications related to specific technologies can be very useful for conducting a pentest.
On the server layer, Linux, Unix and Windows technologies correspond to specific expertise. An experienced pentester will be able to test systems based on different types of technologies. However, an in-depth knowledge of Linux, for example, will allow to go further in the discovery and exploitation of certain flaws and to provide a more detailed level of recommendation following the security audit. This type of advanced expertise can be demonstrated by Linux certification, or by significant experience as a Linux administrator.
Cloud technologies, and in particular the most popular public cloud infrastructure (AWS, Azure, Google Cloud) also represent expertise of their own. There are specific certifications for the cloud and even for cloud security, for example AWS Certified Security Specialty.
On the application layer, the technologies commonly used (PHP, Java, Ruby, Python, NodeJS, etc.) also correspond to specific expertise. This is also the case for the various frameworks specific to these technologies. An in-depth knowledge of PHP and Symfony, for example, will allow a pentester to go even further in certain types of tests and recommendations for correcting vulnerabilities. This kind of advanced expertise can be demonstrated by a Symfony certification, or by significant experience in developing under Symfony.
Other cybersecurity certifications
There are also more general cybersecurity certifications that pentesters may hold and which can be of interest to their clients.
CISSP is a certification that covers the aspects of security assessment and testing, but from a general cybersecurity professional point of view. It validates knowledge of all cybersecurity topics (risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, software development security…) instead of focus on penetration testing. This can be very useful for advising clients on their pentest strategy with an understanding of all security issues.
ISO27001 Lead Implementer is a certification that is more focused on the ‘functional’ aspects of security, for professionals in charge of helping companies achieve an ISO27001 certification. In the context of penetration testing, this can be useful to consider clients’ needs with a more global approach.
Other criteria beyond certification
As mentioned earlier, certifications in themselves do not sum up all the skills of the penetration testing companies and of its pentesters. It is important to consider other criteria to assess the relevance of a provider to perform a security audit.
- Core business: Does the company specialise in pentest? What volume of business does penetration testing compared with other services?
- Methodology and tools: How does the company describe their approach for a pentest? What methodology and tools does it rely on?
- Understanding of customer needs: What is the service provider’s ability to understand and reformulate your needs? What is the provider’s degree of technical understanding and how technically precise is the proposal?
- Processes: What are the provider’s processes to define the pentest scope, to contract, and to conduct the security audit?
- Links with other structures: Is the company independent? Or is it a subsidiary of a group with other activities? What type of clients does it work for and what types of penetration tests is it mostly familiar with?
- Attractiveness: How attractive is the company for penetration testers? And therefore, what is its capacity to recruit and retain good profiles?
- Ethics: What are the guarantees in terms of data protection and confidentiality of results? Does the company have any other ethical or even CSR commitments?
Getting certified after a pentest
When talking about security and certification, the question of delivering a pentest certificate to the client also arise. Depending on the objectives of the client company, the pentest can either be a part of a security certification process or a final achievement as it allows sharing specific document with its clients and partners.
Preparing a cybersecurity certification
For a company undertaking a pentest, the final objective may be to obtain a cybersecurity certification. For instance, ISO27001 or SOC2. In this case, the pentest is one of the steps towards compliance. Please note that it is important to inform the pentest provider about your certification project, as this goal (as well as the risks identified during other steps of the certification process) will have an impact on the scope of the pentest.
Support in preparing a certification such as ISO27001 and penetration testing are two distinct services. Some companies may offer both types of services, but it is common to work with different providers in order to hire dedicated experts and to get a completely neutral view on the pentest.
Obtaining a pentest certificate
It is also possible to obtain a security audit certificate (or pentest certificate) after certain types of pentest.
In this case, it is a private certificate issued by the company that performed the penetration test. The certificate proves that a penetration test has been carried out by a third party specialised in the field. The pentest company commits its image and the quality of its work by officially attesting the work carried out. Generally, this type of certificate is issued after a comprehensive pentest (in-depth penetration testing and retest of the vulnerabilities after they have been fixed) in order to avoid engaging the provider’s credibility if the pentest was of limited duration and only covered part of the exposed scope.
A pentest certificate is a document to communicate to prospects, clients and partners.
Other documents that can be obtained after a pentest
Other documents can also be transmitted to third parties following a pentest, for instance the pentest reports.
Several types of report can be shared:
- The pentest technical report, which details what has been tested, which vulnerabilities have been found and remediation suggestions
- The remediation report, which shows that the security flaws found during the initial pentest have been resolved
- The executive summary, which provides a non-technical summary for management or non technical decision makers
In some cases, it is also possible to obtain a label or a private seal (issued by the pentest company) following the security audit. This is the case of the four seals of security approval delivered by Vaadata.
Other actions to strengthen your security
Demonstrating that a pentest has been carried out, or communicating the results, is not the only way to strengthen your security and to meet the requirements of your customers or partners.
Cybersecurity covers many topics, so there are many actions to take to ensure the protection of your customers’ data and to comply with various requirements.
Depending on the activity of your company and depending on your customers, different types of documents will be required: risk analysis, ISSP, pentest reports, incident response plan, disaster recovery plan, etc.
Depending on the priorities, some companies will work specifically on certain procedures to develop the corresponding documentation, while others will turn to the ISO27001 certification process which covers all topics relating to cyber security in the company.