The CREST (Council Registered Ethical Security Testers) OVS (OWASP Verification Standard) has been created to help standardise the way that advanced penetration tests are executed by creating a framework for all security consultancies to follow. This is important as it demands companies to utilise experienced staff members that are able to perform the assessments, this is reflected through the requirement for all consultants working on an OVS project to be accepted onto the CREST highly skilled persons register and the company to hold CREST status.
CREST has explained the new testing standard in their own words:
“Developed by CREST, in consultation with the Open Web Application Security Project (OWASP), the CREST OVS (OWASP Verification Standard) is a brand-new framework that provides a scalable and consistent approach to web and mobile application security standards.
CREST OVS brings together some of the brightest minds in AppSec to improve global application security standards. The framework will provide exciting opportunities for CREST members to engage with the buying community and with governments and regulators around the world that are looking to raise application security standards.”
There is no doubt that some companies may be performing lesser penetration tests than others, which is a problem that the CREST OVS standard is aiming to resolve. The standard itself is made up of three tiers, with tier one being entry-level and tier three being government/military standard. All companies should aim to get tier one and two, whilst there is no need for the majority of organisations to aim for tier three.
The advantage of having a common, open-source framework to perform penetration tests against is that companies know exactly what they are getting. This opens up the opportunity for penetration tests to show what companies have done right, as well as what they have done wrong which provides a much more effective solution.
The CREST OVS assessment has up to 286 requirements, all of which a company will know if they have passed or failed, following an assessment. The framework is created by OWASP (Open Web Application Security Project) and maintains the methodologies. The framework is not only for penetration testers but is also aimed at companies to follow as an internal standard for their own security. The assessments that will be performed by our consultants will confirm each security point.