School of Computer and Information Science, Security Research Centre, Edith Cowan University, Perth, Western Australia
Attacks against computer systems and the data contained within these systems are becoming increasingly frequent and evermore sophisticated. So-called “zero-day” exploits can be purchased on black markets and Advanced Persistent Threats (APTs) can lead to exfiltration of data over extended periods. Organisations wishing to ensure security of their systems may look towards adopting appropriate measures to protect themselves against potential security breaches. One such measure is to hire the services of penetration testers (or “pen-tester”) to find vulnerabilities present in the organisation’s network, and provide recommendations as to how best to mitigate such risks. This paper discusses the definition and role of the modern pen-tester and summarises current standards and professional qualifications in the UK. The paper further identifies issues arising from pen-testers, highlighting differences from what is generally expected of their role in industry to what is demanded by professional qualifications.