How do you define a penetration test, or identify a penetration tester? Generally, highly skilled professions have well defined requirements of both the professionals and the work they provide. Penetration testing, however, has virtually no definition, requirements or standardization and can cover anything from vulnerability scans to exploit development. While not the only profession in the information security field to lack definition, it is arguably the worst. The end result is often low quality, unsatisfactory assessments that leave organizations still vulnerable to unsophisticated attacks.
This talk will cover the current efforts of some groups organized to assist in professionalizing the penetration testing field, including the National Board of Information Security Examiners (NBISE) Operational Security Testers (OST) panel and the Council for Registered Ethical Security Testers (CREST). While different initiatives, the end goals of these groups are to provide frameworks for penetration testers, managers and customers to operate within, hopefully ensuring more consistent and measurable tests.