CREST, a non-profit membership organisation representing the global cybersecurity industry, has developed a Crest Defensible Penetration Test (CDPT) specification. This specification is designed to guide organisations in conducting penetration tests and utilising the test results to enhance their overall security posture and establish security programs during significant growth phases.
By adhering to the CDPT standard, organisations can maximise the benefits of a penetration test while minimising risk. This blog will provide an overview of what CDPT is, what problems it solves for the cyber security industry, how CREST guidance works, and the benefits of CREST penetration testing services for businesses looking to improve their security posture.
Why do we need a defensible pen test specification?
Currently, no consistent guidance or standard defines the outcome for security service buyers. This means that practices and expectations vary, with definitions and terminology being inconsistent and fluid.
As widely acknowledged globally, there’s currently no consistency in the market to deliver penetration testing services in line with a standard. This issue varies across segments, such as penetration tester competence, how to conduct penetration tests, best practice framework use, and certification equivalencies. CREST guidance around CREST defensible penetration test aims to solve some of these concerns. It provides a best practice framework around penetration test defensibility and penetration tester competence to provide services.
At the least, it has set off to a good start with the release of OVS. More on where this guidance focuses and the progress is provided below.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
What is a CREST Defensible Penetration Test?
CREST defensible penetration test is a reasonably new specification that defines how penetration tests should be conducted. CREST, an international not-for-profit body, has worked alongside industry-recognised experts to define a minimum set of expectations through this new CREST guidance known as CDPT to ensure better outcomes for buyers.
This specification covers the following three areas:
- Scoping and objectives
- Sign off
The three CDPT phases are meant to differ from CREST-accredited providers’ pentesting methodology and reflect specific outputs based on test specifications. Here are the summaries of these three phases:
Scoping and objectives
Like a carefully planned pen test, the scoping phase is increasingly important and essential to successful Cyber-Defence Penetration Testing (CDPT).
At a high level, the goals and objectives include:
- Assessment against the primary security concerns, such as checks on target systems to withstand an attack
- Review of defensive controls of an organisation
- Cyber assurance that information held on the target systems is not vulnerable to disclosures or unauthorised access
The CDPT assessment requires that a specific scope of work is agreed upon between the buyer and the CREST Accredited Penetration Testing Provider, such as Cyphere. This scope of work should encompass all areas necessary to meet the assurance requirements defined by the contracting organisation or their project. The CDPT assessment must be conducted using a CREST-accredited methodology.
This phase includes the delivery of a pen test project by the CREST tester’s accredited methodology. The CREST Accredited Penetration Testing Provider is also responsible for providing a documented report to the contracting organisation upon completion of the assessment. The document must include an executive summary, a detailed description of findings and any recommendations identified during the assessment.
The sign-off phase of a Certified Defensible Penetration Test (CDPT) is the formal attestation that the assessment was conducted by the CREST Defensible Penetration Tester’s methodology and that the scope of work was delivered as agreed. A company officer or suitably skilled individual must undertake the sign-off.
Will the CREST Defensible Penetration Test be commercially defensible?
The three essential elements must be satisfied for the CREST Defensible Penetration Test to be commercially defensible.
- Penetration testing service providers must have policies, procedures, practices, and methodologies in place. This ensures consistency in the testing approach and enables the service provider to demonstrate professionalism and due diligence, instilling confidence in their clients.
- To conduct the testing effectively, all penetration testers must possess appropriate skills, experience, and competency levels. This calls for adequate training and continuous professional development to stay current with the latest threats and mitigation techniques.
- Penetration testing service providers and security consultants must work towards a defined and agreed test specification, outlining the test’s scope, objectives, and methodology. This ensures clear communication and expectations from both parties and helps avoid misunderstandings or disagreements. By satisfying these elements, the CREST Defensible Penetration Test can be considered commercially defensible, reassuring clients and promoting trust in the security industry.
A Commercially Defensible Assurance Activity
Penetration testing is an essential step in safeguarding systems from cyber threats. Adequate security requires diligence and commercially defensible actions instead of quick fixes or cheap but risky options. An organisation should approach penetration testing expecting the process to be appropriately scoped and executed by highly skilled and knowledgeable professionals.
The CREST Defensible Penetration Testing standard looks into delivering and procuring commercially defensible activity rather than defining scope. Scoping is decided mutually between the service provider and the pen testing service buyer.
CREST has created a new accreditation program called OVS (OWASP Verification Standard) and has aligned with the OWASP teams responsible for Application and mobile security. Currently, two such standards are available under OVS, i.e. Application focussed (ASVS) and Mobile Application focussed verification standard (MASVS).
How should CDPT specification be used?
The CREST Defensible Penetration Test ensures robust security measures by clarifying the need for penetration test service providers, individuals and an agreed test specification. Here are the points to use this specification:
- CREST Defensible Penetration Test provides value for entities wanting to procure penetration testing services.
- Accredited organisations must have appropriate policies, procedures, practices, and methodologies.
- Individuals involved in the critical phases should have the appropriate levels of necessary skills and experience.
- All components should be combined to produce a defensible test. The test includes scoping, delivery and sign-off, which qualified individuals must conduct.
- The CREST OVS standard should be the starting point for web and mobile phone applications.
How does Cyphere deliver the benefits of CREST Accreditation to customers?
CREST accreditation provides multiple business benefits for organisations across the globe. From skilled individuals to escalation procedures, here are the main advantages of using Cyphere’s pen testing services:
- CREST Accredited Penetration Testing companies have been assessed against stringent membership criteria as part of an annual accreditation cycle.
- Each member company has signed a Code of Conduct, warranting that all tests will be conducted per the approved methodology.
- The accreditation process is rigorous and independent, regardless of the size or location of the organisation.
- All organisations are bound by a Code of Conduct and complaints process to ensure standards are upheld and exceptions/disputes are handled robustly.
- The process is enhanced annually to reflect evolving security best practices and minimum requirements.
There are several CREST-related topics we have covered extensively you might want to explore:
- CREST penetration testing guide and methodology
- Learn about the CREST penetration testing maturity model
- What is a CREST-approved provider, and why is choosing a CREST-certified company important?
- Understanding the CREST-accredited penetration testing
- Your guide to CREST vulnerability assessments
- CREST and CHECK Penetration Testing Explained – Which is Right for Your Business?
- CREST Certification benefits, cost, OSCP equivalent and other details
What does this mean for you?
While CDPT doesn’t guarantee complete defence, it ensures thorough assessment, execution, and reporting of the testing process. Additionally, it binds the penetration testing organisation and the penetration tester in a Code of Conduct, reinforcing the seriousness of the process.
As someone who works in cyber security, buyers will likely start asking for the CREST Defensible Penetration Test. CREST is open for this to be a comprehensive assessment that allows buyers to provide valuable feedback. This will help improve service quality in the industry.
The CREST Defensible Penetration Test is a comprehensive assessment that enables buyers to provide valuable feedback, helping improve the quality of services in the industry. To be commercially defensible, penetration testing service providers need policies, procedures, practices and methodologies; all testers must possess appropriate skills and experience, and both parties should agree on a test specification.
At Cyphere, we are committed to providing our clients with the highest security solutions. If you’re looking for an experienced team to help you through your penetration test program, get in touch today!
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.