CREST – Digital IT News

OVS OWASP Verification Standard Launched by CREST

Taylor Graham — Thu, 04 Aug 2022 23:14:50 +0000

CREST, in consultation with the Open Web Application Security Project (OWASP), announced the OWASP Verification Standard (OVS), a new quality assurance standard for the global application security industry. CREST OVS provides mobile and web app developers with greater security assurance and accredited organizations with enhanced access to the growing app development industry.

CREST OVS measures an organization’s ability to execute and deliver assessments related to Level 1 and Level 2 of the OWASP Application Security Verification Standard (ASVS) and OWASP Mobile Application Security Verification Standard (MASVS). The ASVS and MASVS are OWASP projects which have been developed by the technical AppSec community to establish an open-source framework of security requirements needed to design, develop and test secure mobile and web applications.

“CREST OVS sets new standards in web and mobile application security to provide the buyers of application security assessment services with the highest level of assurance,” said Rowland Johnson, president of CREST. “The program has a series of explicit requirements that are designed to assess and harness the capabilities of an organization, along with the skills and competencies of its individual security testers.”

CREST has been working closely with governments, regulators and multinational organizations focused on improving application security and it is expected that there will be high demand for both CREST OVS Mobile and CREST OVS Apps accredited services.

By leveraging ASVS and MASVS, CREST is formally supporting the open-source community to build and maintain global standards. “Both CREST and OWASP are non-profit organizations and we share a vision of increasing collaboration and open standards across the industry to build and maintain global cyber security standards,” added, Johnson.

Andrew van der Stock, Executive Director of the OWASP Foundation said: “This is a positive move for worldwide corporate and government adoption of the ASVS and MASVS projects. While the OWASP Top 10 risks project has built vital awareness of the importance of Application Security, I am excited to see the move towards using standards such as ASVS and MASVS to help organizations improve their application security in a structured and comprehensive way.”

To apply for the OVS program, companies need to be accredited to the CREST Penetration Testing discipline. Organizations must also demonstrate at corporate level that they can meet the program requirements to execute and deliver Level 1 and Level 2 ASVS and MASVS services.

In addition, all organizations will need to ensure that their teams have completed CREST’s Skilled Person Register and have each signed the CREST Code of Conduct. For more information on eligibility and how to become CREST OVS accredited, please visit the OVS pages on the CREST website.

Image licensed by pixabay.com

Manufacturing Companies Sustain More Account Compromises and Supply Chain Attacks

The post OVS OWASP Verification Standard Launched by CREST appeared first on Digital IT News.

Defensible Penetration Test Released by CREST

Taylor Graham — Mon, 01 Aug 2022 18:16:52 +0000

CREST has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST, not-for-profit global cyber security membership, has worked alongside industry recognized and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

“A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe,” explained Rowland Johnson, CREST President. “It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed and signed off.”

Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterize a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organizations that are looking to procure penetration testing services and organizations that deliver penetration testing services.

Only when the following three elements are satisfied, will the CREST Defensible Penetration Test be commercially defensible:

The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides – CREST (crest-approved.org)

Image licensed by pixabay.com

Phishing for New Bait on Social Media in This Cyber Safety Pulse Report

The post Defensible Penetration Test Released by CREST appeared first on Digital IT News.

Cybersecurity Visionary Rowland Johnson Appointed as CREST President

Taylor Graham — Wed, 22 Sep 2021 13:33:07 +0000

CREST, a not-for-profit accreditation and certification body representing the technical information security industry, announced it has appointed Rowland Johnson as President for an initial term of one year. As a former member of the CREST Great Britain (GB) Executive Board, serving between 2014 and 2020, he is ideally placed to take over from Ian Glover, who announced his retirement in June.

A dedicated supporter of CREST for many years, Johnson was instrumental in CREST’s international growth, playing a key role in the creation of CREST in Singapore and the United States. He was also a founding director of cybersecurity company Nettitude and oversaw its acquisition by Lloyd’s Register in 2018.

Johnson’s appointment was unanimously approved by the CREST GB Executive Board and CREST’s regional Advisory Boards in the U.S., Australia and Southeast Asia.

“I feel privileged by the support from CREST’s elected members and regional chairs for my appointment to this prestigious role,” commented Johnson. “I will be working closely with Ian and the whole of the CREST team to ensure that the transition is as seamless as possible for CREST members and for everyone we work with across the industry, governments, regulators and academia. It is important that members are always right at the heart of everything CREST does and we will be focusing on providing greater support and encouraging closer collaboration, as we progress forward and build on Ian’s legacy. He leaves CREST in a very strong position.”

Ian Glover retired as President of CREST on September 1 after almost 13 years in the role. He will continue supporting CREST projects internationally until December 1, 2021.

“Having worked closely with Rowland for six years while he was a member of the CREST GB Executive, I am delighted that he is taking up the President’s role,” said Glover. “During my time with CREST I hope I have helped organizations to mature and grow while encouraging individuals to enter and thrive in an increasingly professional industry. I am confident it will also be Rowland’s mission to carry on this work.”

“On behalf of CREST USA I would like to welcome Rowland back to CREST and to his position as President,” commented, Tom Brennan, Chairman, CREST USA. “I know the passion he has for CREST and its importance to the global cybersecurity ecosystem. This, along with his significant industry experience, make him ideal for the role and I very much look forward to working with him, alongside the CREST team.”

Johnson will be supported during the transition period by a CREST senior management team comprising Elaine Luck, Operations Manager; Samantha Alexander, Principal Accreditor; and Richard Beddow, CREST’s Financial Controller.

Juice Technology Receives International Certification for Cybersecurity in Portable EV Charging

The post Cybersecurity Visionary Rowland Johnson Appointed as CREST President appeared first on Digital IT News.

Launched by CREST Accreditation: New Globally Available Practical Penetration Testing Certification

Taylor Graham — Tue, 07 Sep 2021 17:31:35 +0000

CREST, a not-for-profit accreditation and certification body representing the technical information security industry, has launched the first of four new practical penetration testing certifications that are designed to be delivered via selected Pearson Vue centers around the world. The new CREST Registered Security Analyst (CRSA) certification will provide CREST members, CREST qualified individuals and the wider industry with flexible, global access to this practical penetration testing examination.

CRSA is a new Registered level practical penetration testing certification. It has a slightly broader scope than the CREST Registered Penetration Tester (CRT) and includes desktop breakout assessments and a larger web application component. CRSA will run in parallel with CRT.

The UK’s National Cyber Security Centre (NCSC) has confirmed that the CRSA certification will be recognized alongside the CRT for technical entry for CHECK Team Member. This applies to all CRSA certifications awarded, wherever in the world candidates take the examination.

The existing CREST Practitioner Security Analyst (CPSA) certification, which is already a prerequisite for the CRT, is also a prerequisite for the new CRSA examination. Please note that a CPSA qualification attained via equivalency cannot be used as the pre-requisite for booking the CRSA examination.

The CRSA is available to book from today through Pearson Vue CREST :: Pearson VUE.

The CRSA is the first in a suite of new practical certifications being developed by CREST. The others, which have not yet been recognized by NCSC, are:

CREST Certified Security Consultant (Red Team) – CCSC RED
CREST Certified Security Consultant (Networks) – CCSC NET
CREST Certified Security Consultant (Web) – CCSC WEB

“The examinations for all four new practical penetration testing certifications have been designed to be delivered entirely through Pearson Vue centers,” said Ian Glover, President of CREST International. “This opens up the opportunity to individuals working in the cyber security industry to get the access to certify with CREST wherever they are in the world.”

Pearson Vue centers offer a distraction-free, secure testing environment with continuous candidate surveillance. There are number of mandatory security measures at all test centers to ensure the integrity of the examinations and the safety of the candidates.

For full details on the CRSA please visit: https://www.crest-approved.org/professional-qualifications/crest-exams/index.html

Image licensed by pexels.com

CREST Launches Remote Audit Facility for SOC Accreditation

For future updates on Penetration Testing Certifications and announcements, follow Digital IT News on Twitter, LinkedIn, or Facebook, or visit our Contact Page for subscription options.

The post Launched by CREST Accreditation: New Globally Available Practical Penetration Testing Certification appeared first on Digital IT News.

CREST Launches Remote Audit Facility for SOC Accreditation

Leigh Porter — Thu, 15 Apr 2021 17:04:12 +0000

CREST, a not-for-profit accreditation and certification body representing the technical information security industry, announced a new remote audit facility for its SOC (Security Operations Center) Accreditation. Reducing the need for travel and helping to ensure more timely and effective audits, the new remote audit capability provides an alternative to on-site audits and will meet the increased International demand for SOC Accreditation, without compromising the high CREST standards.

CREST’s SOC Accreditation is available for both service providers and internal SOCs and was developed with extensive input from CREST members and the wider industry to provide an internationally recognized and independent validation of the SOC. Accreditation demonstrates a high level of assurance and trust. Since its launch at the end of 2017, the CREST SOC Accreditation has seen a significant increase in demand.

CREST has a detailed and comprehensive SOC Assessment Criteria that looks at six key areas of a SOC: Organizational Environment; Customer Requirements; Technology and Tools; Event Analysis; Threat Intelligence & Situational Awareness; and Protecting the SOC. The first stage to accreditation involves completing the application via the CREST Membership Portal, which will ask questions about processes, policies and methodologies. The second stage is the detailed audit conducted by a qualified auditor within six months of the application.

“Even before the pandemic and the additional travel constraints it has brought, high levels of international demand for SOC Accreditation meant we needed to look for a more accessible, flexible and efficient approach to speed up the audit process,” explains Samantha Alexander, Principal Accreditor at CREST. “But we needed to ensure that any solution didn’t impact the very high standards of the audit itself. This remote capability allows the CREST audit team to review documentation, conduct interviews and site tours with the same rigor and attention to detail as an onsite visit.”

CREST will discuss the process with the organization’s SOC team in advance to ensure that all SOC criteria are covered and technology requirements are reviewed to deliver an effective audit. The audit will start with a review of documentation and records, observations of processes and methodologies, interviews with the SOC staff and a remote video tour of the SOC environment. All data and evidence will be noted and included in the final audit report, held under a CREST NDA. More information is available by visiting https://www.crest-approved.org/applying-for-soc-accreditation.

Image licensed by: Pixabay.com

Survey: 60% of Educational Organizations Hit by Phishing Attacks Targeting Cloud Data, the Highest Result of All Verticals Analyzed

The post CREST Launches Remote Audit Facility for SOC Accreditation appeared first on Digital IT News.