Security Tip: Don't be seduced by penetration testing certifications

by Brent Huston

April 9, 2007 —

There's been a lot of recent talk about certifications for penetration testing, but don't be swayed. You must continue to carefully vet your security partners when it comes to protecting your perimeter. Here's why.

First, most certifications and certifying organizations are little more than cash cows. Take some of the more popular certifications such as ISC2, A+, MCSE and others. They've become big businesses, and generate lots of money. Even the secondary markets such as books, training courses etc. are raking in the cash.

Second, certificates aim to establish only minimum levels of knowledge, and who really wants to hire that?

Third, certifications do not address a client's knowledge barrier -Understanding what penetration testing is, how it differs from a vulnerability assessment, when to properly use it as a tool and when it may do more harm than good are just a few lessons a security partner must pass along.

The harsh truth is that certification of penetration teams is just another false security blanket for organizations that want to avoid the hard work of vetting a security partner, and sadly, the majority put way more stock in certifications than they should. It is a dangerous situation.

Here's the tip. Forget about the certification. If you're in the market for a security expert who specializes in penetration testing, do reference and background checks, analysis of professional business items such as insurance, more traditional means of verifying that a business is really what it seems to be.

MicroSolved, Inc.