When it comes to penetration testing within the UK, there are several different types of certifications that security testers, or otherwise known as “ethical hackers” can have. When you start looking to obtaining a penetration test you may start to look around and think about what you should be looking for.
Normally, one of the first things people look for are locality, cost, and brand identity. When it comes to these areas, the following ones are the most common within the UK. However, there are more out there and some companies and testers will have more than one type of certification.
- Offensive Security
But how do you know which one you go with? Each one has its own pros and cons and we’ll discuss these below.
When it comes to penetration testing and branding, CREST is the most widely adopted and known. Although that may have recently taken a bit of a dent. People and companies tend to utilise CREST when there is demand for penetration testing work for Government or Government supplied testing or that they want a well-known established penetration testing company that has the name behind them.
CREST, the company, is an international not-for-profit accreditation and certification body primarily based in the UK which certifies penetration testers and which companies can join to become a CREST registered member for a certain annual fee.
The advantages of going with a CREST tester and/or business is that you are going with a person/business that has experience as well as the knowhow to perform your testing and have gone through a rigorous test. Most of the time testers will have experience in many different areas and the business will be able to help you with all of our requests.
The downside is that the cost of CREST testing is usually quite a bit more than any other company, sometimes CREST related companies may be several hundred pounds a day more expensive, which can be a hindrance if you are on a budget or a smaller company.
TigerScheme’s certifications are probably the second most popular certification within the UK, which aren’t entry level. The certifications are based on the same sort of criteria as CREST as in they have their low level and higher-level certifications.
TigerScheme is based in Wales and have similar testing practices to CREST, testers go through a rigorous certification process to ensure that the testers know what they are doing and have the skill to perform the roles.
One difference is that businesses cannot join to be a TigerScheme company, only the user becomes TigerScheme certified.
The advantage however of using TigerScheme testers are that the annual costs and running are a lot lower for testing companies who use TigerScheme testers. This means that the cost savings can be past on to the end user, you.
Offensive Security’s certifications are technical certifications, they offer many different types of certifications, these certifications are primarily used to show that the testers have a certain level of experience and knowledge. There are several certifications which can be obtained and several levels, these certifications can help the tester work towards a CREST certification.
Testing companies and/or testers who have these Offensive Security certifications will have enough experience to perform the role and find exploits and holes within your business.
EC Council’s certification offerings are in my opinion foundational certifications, designed to get people on the ladder for information security and penetration testing. These certifications don’t provide much technical knowledge, however, are a good starting point for people.
It is recommended that if you are getting a penetration testing company, that you ensure that you have a tester which has something else other than EC Council related certifications.
There are more certifications out and available that testing companies use within the UK, however the ones mentioned in this article are the most popular in our opinion. We hope that this article helps you understand the processes and types of certifications which are available.