Hi,
Ability really does matter and is tough to measure. But possible.
Disclaimer: I work for ISECOM. I wanted to point out that with all this
talk about ability over certification, that this is exactly the problem
ISECOM addresses with the OPST and OPSA. Both courses focus on the
ability-- applied knowledge- required for those in security testing and
security analysis. Ability is such a major part of the certification
that the test-taker can use books, notes, and the internet as resources
during the exam. While neither the OPST nor the OPSA is specifically for
penetration testing (for example it is more about recognizing and
verifying a security problem than about tools or writing exploits which
is something many pen-testers like to focus on) the one thing that makes
it really different is that the certification does actually measure
ability under time pressure. This is why it's so popular with certain
industries and government institutions as a vetting tool for new hires
and promotions because at the very least, they know from the exam
transcript the skill strengths and weaknesses of the candidate for the
basic requirements.
You can read up more on both at www.opst.org and www.opsa.org if you'd like.
FYI, we've noticed some scary patterns in what areas the majority fails
to be able to do correctly and what people claim to do or have
experience in. Interestingly, those who label themselves working as
penetration testers or ethical hackers often make the mistake of not
understanding how the tools actually work (for example what type of
responses are needed for the tool to function correctly and how to
verify it). Or they trust their tools too much (for example labeling a
system as OpenBSD because NMAP fingerprinting says it is even though all
the additional information one can find about the system clearly shows
it cannot be). We see this pattern in both the OPST and OPSA. This
inevitably causes problems on the exam for them from the initial
logistics (checking the network parameters before starting the test) and
right through to verifying if a problem (vulnerability) exists or is a
false positive. I can only imagine how badly they screw up real-world
audits where situations can get more odd or more complex than the
scenarios they may encounter in the exams.
Anyway, I really think we're not ready yet to start "licensing"
professionals. However, once the average pen tester begins working in
areas that affect the safety of living things both directly and
indirectly, we will need to consider a form of licensed practitioner.
Sincerely,
-pete.
James Boomer wrote:
I couldn't agree with you more. But if someone has the knowledge and the
know how then taking the exam won't hurt a bit. But I completely agree with
you 100% as I myself own a Security Consulting Firm and have run into the
same problem. You need to Know the practical side and the real life side and
finding good people who do and keep current on it is always a challnge.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
