How do you define a penetration test, or identify a penetration tester?
Generally, highly skilled professions have well defined requirements of both the
professionals and the work they provide. Penetration testing, however, has
virtually no definition, requirements or standardization and can cover anything
from vulnerability scans to exploit development. While not the only profession
in the information security field to lack definition, it is arguably the worst.
The end result is often low quality, unsatisfactory assessments that leave
organizations still vulnerable to unsophisticated attacks.
This talk will cover the current efforts of some groups organized to assist in
professionalizing the penetration testing field, including the National Board of
Information Security Examiners (NBISE) Operational Security Testers (OST) panel
and the Council for Registered Ethical Security Testers (CREST). While different
initiatives, the end goals of these groups are to provide frameworks for
penetration testers, managers and customers to operate within, hopefully
ensuring more consistent and measurable tests.
David McGuire
David McGuire is a Senior Security Engineer with Veris Group, LLC where he leads
penetration testing and vulnerability assessment efforts for commercial clients
and major Federal agencies, including the Department of Justice (DOJ) and the
Department of Homeland Security (DHS). He specializes in penetration testing
methodologies, tools and techniques and wireless & mobile device security. David
has extensive experience in conducting large scale, highly specialized and
technically difficult network vulnerability assessments, penetration tests and
adversarial (red team) network operations. In addition, he has considerable
experience in training participants from various disciplines in computer
security, adversarial network operations and penetration testing methodologies,
including at major industry conferences such as the Black Hat. Previously, David
was the senior technical lead at a large Department of Defense (DoD) Red Team,
providing mission planning and direction through numerous large scale
operations. David has a Bachelor’s Degree in Computer Information Technology and
is a CREST Certified Infrastructure Tester, GIAC Certified Penetration Tester (GPEN),
GIAC Certified Web Application Penetration Tester (GWAPT) and Offensive Security
Certified Professional (OSCP).
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek