Quality Testing

Quality is delighting customers

I ve 2+ yrs exp in manual testing(Windows &Web) I used the pentration testing in the web application.Currently i'm working as a manual tester but i'm intersted in involve in pen testing.. What can i do .If any certification is needeed for that

Views: 342

Reply to This

Replies to This Discussion

Hey Saravanan,

Certification will always help you to improve methodology you follow for testing, I would prefer to go with certification only if your company pays for it as they are very expensive.

Other than that you can do following certifications
1. CEH (Certified Ethical Hacking) --> ECSA (EC-Council Certified Security Analyst) --> LPT (Licensed Penetration Tester)

You can also follow path from SANS or ISC2

For basic testing you can follow OWASP

Let me know if you want more details on any of above

Ankit Mehta
Sr. QA Engineer
Infostretch Solutions Pvt. Ltd.
What is pen testing???
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.

The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.

Any security issues that are found will be presented to the system owner, together with an assessment of their impact, and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing (after system changes).
CEH and LPT would be beneficial for you.

Thanks for your reply,I'm working in chennai.I do konw which institute is better.. Previously i follow the owasp.
The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex-black hat hackers and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.[citation needed]

The Council of Registered Ethical Security Testers (CREST) offers three certifications: CREST Registered Tester, CREST Certified Tester (Infrastructure) and CREST Certified Tester (Web Applications).

CREST (Council of Registered Ethical Security Testers) is a non-profit association created to provide recognised standards and professionalism for the penetration testing industry.[3] For organisations, CREST provides a provable validation of security testing methodologies and practices, aiding with client engagement and procurement processes and proving that the member company is committed to providing testing services to the highest standard. For individuals, CREST provides a career path and industry leading qualifications for penetration testers. Three certifications are currently offered: the CREST Registered Tester and two CREST Certified Tester qualifications, one for infrastructure and one for application testing.[4]

The Information Assurance Certification Review Board (IACRB) manages a penetration testing certification known as the Certified Penetration Tester (CPT). The CPT requires that the exam candidate pass a traditional multiple choice exam, as well as pass a practical exam that requires the candidate to perform a penetration test against live servers.[citation needed]

SANS provides a wide range of computer security training arena leading to a number of SANS qualifications. In 1999, SANS founded GIAC, the Global Information Assurance Certification, which according to SANS has been undertaken by over 20,000 members to date.[5] Two of the GIAC certifications are penetration testing specific: the GIAC Certified Penetration Tester (GPEN) certification; and the GIAC Web Application Penetration Tester (GWAPT) certification.[citation needed]

Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM).[citation needed]

For web applications, the Open Web Application Security Project (OWASP) provides a framework of recommendations that can be used as a benchmark.[clarification needed][citation needed]

The Tiger Scheme offers two certifications: Qualified Tester (QST) and Senior Security Tester (SST). The SST is technical equivalent to CHECK Team Leader.

The International Council of E-Commerce consultants certifies individuals in various e-business and information security skills. These include the Certified Ethical Hacker course, Computer Hacking Forensics Investigator program, Licensed Penetration Tester program and various other programs, which are widely available worldwide.

[edit] United Kingdom-specific certifications
A number of certifications have been developed in the UK, initially for the UK government, and then for the commercial sector, which wanted equivalent levels of assurance.[citation needed]

For many years the only standard/accreditation was the CHECK scheme, administered by CESG (formerly known as the "Communications and Electronic Security Group", part of GCHQ). This standard is a mandatory prerequisite for Central Government testing but, due to EU rules, cannot be enforced for local government and government agency work. It has also been favoured by many commercial blue-chip organizations. Subscriber organizations to the scheme are required to maintain strict ethical standards, and certified individuals are automatically vetted to at least SC level security clearance.[citation needed]

The TIGER Scheme is one of the two non-governmental UK schemes for certifying the skills of penetration testers. The Scheme is managed by a Management Committee composed of industry stakeholders. The TIGER scheme contracts out training to an Operational Authority (OA), which is currently QBit ltd, and testing of applicants to an Examining Body (EB), which is currently Glamorgan University. TIGER certification is available directly from the TIGER bodies, and does not require employment by a member / associate employer. The Tiger Senior Security Tester (SST) has now been granted CHECK Team Leader (CTL) Technical Equivalence by CESG. Tiger maintains a register of certified security testers.[citation
Thaks Lot for your feedback... I'm want to move pen tester from Manual tester.Is a correct move for my future.And also know which is good institue in chennai
I ve doubt...
I ve knowledge in OWASP Top ten vulnerabilites ,sql2005 and well know about manual testing concept.My question is.. In which area i'll improve for pen testing before certification
Pen Testing means to find out the hole in the application(web).See holes mean if any unauthorized person is able to access the application.. Simply say Find out the vulnerabilites in the application.
Networking and Administration,
Data base,
Operating System.
I ve doubt...
I ve knowledge in OWASP Top ten vulnerabilites ,sql2005 and well know about manual testing concept.My question is.. In which area i'll improve for pen testing before study the certification
Hey Saravanan,

Penetration testing it self contains all testing including network, physical security, database and application. If you have followed OWASP testing guide V3 it contains all this stuffs as well.

Certification is always added advantage to you but I would prefer you to complete all stuffs mentioned in OWASP V3 testing guide and then go for certification.

During learning all these stuffs if you find any difficulties feel free to contact me



TTWT Magazine





© 2021   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service