A Penetration Testing Certificate that details key features of a recent test can be invaluable. An independent verification that a test on particular networks or technology components has taken place on a particular date or period of time.
Also included are the testing methodologies and security standards employed to support the security assessment.
Why Is A Penetration Testing Certificate Necessary?
For some organisations it is not necessary to have a certificate.
However, it is a very convenient way of demonstrating that penetration testing has been performed by a reputable third party.
Organisations perform penetration testing for a variety of reasons. For compliance. To improve the security of supporting technologies and networks. To correct issues after a compromise or hacking attempt.
The certificate acts as a simple referencing tool that has been independently verified by Ambersail. A link to an online document at Ambersail’s secure website. At a glance business partners, peers, regulatory bodies and customers can see that security validation and assessment work has taken place.
What Can I Expect To See In A Certificate?
The certificate contains useful reference information. When a test was performed. That testing was undertaken by Ambersail, a CREST certified company. Also that testing has followed industry guidelines and best practice techniques.
It will not contain test results or specific test targets. This information is confidential and should never be widely distributed or displayed.
Why Are Penetration Test Standards Important?
The standards you see in the penetration testing certificate reinforce how comprehensive the penetration test is. Interested parties can see that the company under test has been subjected to a recognised and respected testing regime.
There are references to a number of standards.
The PCI standard. To be precise the Payment Card Industry Data Security Standard. This places a great deal of importance on penetration testing and fixing any significant issues identified during testing. Normally only networks that support payment card processing are included in PCI penetration testing.
CREST – Council for Registered Ethical Security Testers. An international, not for profit accreditation body. Promoting best practice penetration testing techniques and approaches. This includes understanding customer penetration test requirements. Comprehensive and thorough testing. Creation of test reports that customers can understand and can act on.
CWE – Common Weakness Enumeration. This is a standardised and widely accepted list of software weakness types. It acts as a baseline standard for grading and rating the security of technologies being tested for security weaknesses. More here.
OWASP – The Open Web Application Security Project. This an open community dedicated to application security. Providing industry recognised advice and guidance to help organisations develop, operate and maintain secure applications. More here.
How Can I Find Out More?
Full information on Ambersail’s Penetration Testing Services can be found here.
If you want to speak with an Ambersail adviser simply call us on +44 (0)1925 607250. Or use the contact forms on this site and one of our team will call you back.