RE: CREST or TIGER?

From: Paul J Docherty (PJD@portcullis-security.com)
Date: Mon Oct 22 2007 - 02:00:35 EDT


EH,
  
I came across your mail asking for opinions on the TigerScheme verses CREST certifications. Before I comment I feel I should declare my hand by saying that my organisation is involved in and fully supports CREST.
  
I was interested to note your table and the conclusions you have arrived at regarding the attributes of both schemes. Can I suggest that one or two of the conclusions are perhaps as a result of misunderstanding, or a lack of clarity in the available information.
 
CREST is OPEN for examinations having already run its Alpha and Beta test programs. Moreover, there are two sets of examinations available; one which covers Infrastructure and one covering Applications, not to mention the core module which is required regardless of which stream is taken. I understand from their website that the Tigerscheme is only offering Infrastructure exams.
  
CREST is indeed an industry body with the aim of improving the level of demonstrable standards, but has a growing advisory panel made up of the highest volume consumers (from both the public and private sectors) of these services who provide advice and direction to CREST to ensure that the standard is high and appropriate for their needs. In addition, the IAP ensures CREST remains current as new technologies emerge.
  
As you may notice from the Members page of the website, CREST is supported by many of the key players in the security testing market.
 
The CREST process has been designed to ensure that CREST member companies have clear demonstrable standards that they provide a quality test to the end user community.
 
As noted on the first line of the front page on the CREST website, CREST is a not-for-profit, wholly independent organisation.
  
As you rightly point out, both schemes do cater for individuals, however the CREST Standards also have stringent processes for accepting organisations as members. Your email suggests that Tigerscheme also do this through the CCTM, I feel it prudent to point out that the CCTM is a totally separate scheme from Tigerscheme and is run by CSIA. I quote from the CCTM web site; "Vendors register to have their product or service tested against their marketing claims." The CCTM is also quite a costly process with average costs quoted being circa £20,000+.
   
Career path is indeed provided for in both schemes. Again, as you point out, low level examinations do not carry much weight within what is a deeply technical specialism. The CREST examinations therefore provide a significant test of an individual's ability - considerably greater than currently exists within the industry. It therefore represents a difficult but achievable goal for penetration testers.
  
The conclusion regarding the CEH is probably the result of misunderstanding the information on the website. CREST does not 'support' or endorse CEH and the site has been changed to clarify this, and make the information about the membership levels easier to digest. We thank you for bringing this lack of clarity to our attention.
  
Regards
  
Paul Docherty

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of EH
Sent: 17 October 2007 12:26
To: pen-test@securityfocus.com
Subject: CREST or TIGER?

All, I would value your opinion. I am trying to make a comparison
between the 'new kids on the block' in terms of pen tester
accreditation here in the UK, CREST and TIGERScheme, for my
organisation. So far I've come up with the following information.

                                      CREST TIGER
An existing examination No Yes
Independent of suppliers No Yes
End user driven No Yes
Not for profit Yes? Yes
Applicable to Individuals Yes? Yes
Company standards Yes Yes (CCTM)
Career path Yes? Yes
University standard No Yes
It seems that the TIGER Scheme www.tigerscheme.org is fully up and
running and accrediting individuals already plus it is a University
based examination which CREST www.crest-approved.org is not.

I see from the CREST website that they are in support of the often
maligned multiple guess CEH examination and will 'grandfather'
individuals into the 'CREST approved' scheme if they have CEH. Now I
am a CEH [amongst other things I hasten to add] and I sat the exam in
early 2003. It was taken reasonably seriously then but it seems that
the pen test communities opinion of the cert has deprecated somewhat
over time ... so is CREST a re-branded EC-COUNCIL? If so will they go
the same way?

To grandfather into TIGER at the lowest level of certification you
need an approved MSc in Computer Security. Basically any certs I
recommend for my organisation I want to be taken seriously now and in
future. I am heavily leaning towards TIGER.

Your thoughts?

Thanks in advance.

EH

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.488 / Virus Database: 269.15.0/1076 - Release Date: 17/10/2007 19:53
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company, 
registered in England in accordance with the Companies 
Act under number 02763799. The registered office 
address of Portcullis Computer Security Limited is: 
The Grange Barn, Pikes End, Pinner, MIDDX, 
United Kingdom, HA5 2EX. 
The information in this email is confidential and may be 
legally privileged. It is intended solely for the addressee. 
Any opinions expressed are those of the individual and 
do not represent the opinion of the organisation. Access 
to this email by persons other than the intended recipient 
is strictly prohibited.
If you are not the intended recipient, any disclosure, 
copying, distribution or other action taken or omitted to be 
taken in reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice 
contained in this email is subject to the terms and 
conditions expressed in the applicable Portcullis Computer 
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal.
#####################################################################################
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT