An industry association has been created for ethical hackers, in a bid to reassure buyers of systems and applications that such products have been sufficiently tested.
The Council of Registered Ethical Security Testers (Crest) made its public debut on Wednesday at the Infosecurity Europe conference in London. The aim of the council is to standardise ethical penetration testing and provide professional qualifications for the testers.
"Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations' operational and technology risk management programs," said Crest chair Paul Docherty. "Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed commercial standards and practices. We formed Crest with a number of other providers in order to supply a high level of standard to companies who engage with security testers."
Crest's advisory panel includes representatives from insurance group Aviva, Lloyds TSB and the NHS. Aviva's David King said the organisation would "provide an industry standard to allow the purchasing community to have confidence [in the products they are buying]".
Member companies are part of the new Crest trade body, which will govern the Crest professional body that provides for individuals who are not employed by the member companies, in areas such as exams.
Crest is running certification examinations in two streams: infrastructure testing and web-application testing. Testers can either apply for certification at the corporate level, which costs £7,000, or on a standalone level as a "Crest associate", which will cost them £1,600 to sit the exam.