It can often be hard to know what makes someone qualified to perform penetration testing. There’s no such thing as a “licensed penetration tester” in the terms of an international, federal, or state approval, like a lawyer or medical professional. And if you’re not in the security industry, it can extremely difficult to decipher “acronym soup” after someone’s name. Obviously there’s more to making someone truly qualified than what certifications they hold, but this is often the best place to start to get a quick understanding of the level of expertise of someone performing penetration testing for you organization. So let’s take a look at what some of the most popular penetration testing certifications can tell you about someone and help answer what certifications should penetration testers have.
The Offensive Security Certified Professional (OSCP) certification signifies a penetration tester that has gone through one of the most rigorous and realistic hands-on penetration testing exams that exists on the market today. This is one of the very few certifications that requires an individual to do real hacking in a lab environment, giving an individual 24 hours to break into 5 machines, escalate their privileges, and grab flags. Then the candidate has another 24 hours to write up all of those findings, including screenshots, into a penetration testing report. There are no multiple choice options here, which is one of the reasons that this certification has quickly become one of the most sought after for professionals in the industry. It should also indicate to you, as a consumer of penetration testing services, that a penetration tester has a substantial level of technical ability when it comes to network-level penetration testing and has proven it.
The Global Information Assurance Council (GIAC) offers the GIAC Certified Penetration Tester (GPEN) certification. This is an extremely comprehensive certification covering all of the fundamentals of penetration testing in the form of a 115 question, multiple-choice, 3-hour exam. A tester with this distinction has a solid baseline of knowledge regarding penetration testing methodology, best practices, and advanced testing techniques. GIAC is one of the most well-respected training and certification organizations, offering ANSI-certified programs.
EC Council provides the Certified Ethical Hacker (C|EH) distinction to individuals who pass their certification program. Besides requiring 2 years of information security experience prior to attempting the exam, the CEH designation should indicate that an individual has some basic technical ability to use the core tool set required for penetration testers.
These are only a few of the most popular certifications that you are likely to come across in the industry and this is by no means an exhaustive list. Additionally, certifications alone do not make an individual qualified. You should always consider things like formal education, experience, and specialties depending on the types of assessments or penetration testing you’re looking to have performed. The question shouldn’t necessarily be, “what certifications should my penetration testers have?” but rather “how can I tell if my penetration testers are qualified?” Certifications are a great way to quickly identify an individual’s level of training and show that they are engaged in continuing education within information security. But being able to review your testing teams biographies, past experiences, education, and certifications together can provide a much more thorough understanding of what you’re paying for.