CREST Defensible Penetration Test (CDPT)
The CREST Defensible Penetration Test (CDPT) is a specification that provides recommendations on how penetration tests should be scoped, delivered, and signed off.
It has been created to provide greater guidance and clarity to organisations purchasing penetration testing services, as organisations can still lack clarity on how to procure a penetration test, what they should expect from a penetration test, and how a penetration test delivers assurance for an organisation.
CDPT provides a best practice framework for penetration testing
This guidance provides both a best practice framework for penetration test defensibility as well as an assurance of penetration tester competence in providing penetration testing services to clients.
It is not a methodology, but a process that any professional penetration test should follow.
The CDPT specification defines a minimum set of expectations associated with a penetration test
It allows for clients and service providers to work together to conduct penetration tests against legacy and emerging technologies, technology infrastructures, thick client, web and mobile applications, datacentres, mobile devices, or cloud security architectures.
This approach is designed to be commercially defensible, yet flexible and agile enough to support the cybersecurity industry in the years ahead.
How do I benefit from LRQA Nettitude using the CDPT specification?
LRQA Nettitude wraps the CDPT around our penetration testing services to ensure that the penetration tests that we provide to our clients are properly scoped, delivered, and signed off.
Our penetration testing services can be delivered to meet CDPT. This specification is designed to provide value for entities that want to procure a penetration test.
CDPT guides the key areas of importance, and it highlights the need for the following elements:
1
The need for penetration testing service providers to have appropriate policies, procedures, practices, and methodologies
CREST defines this as an Accredited organisation. LRQA Nettitude is the only organisation in the world that hold all of CREST’s accreditations.
2
The need for individuals involved in three key phases of a penetration test to have appropriate levels of skills, experience, and competency
CREST requires people involved in scoping, delivery, and sign-off to be both qualified and registered as skilled workers (i.e. they have signed the CREST code of conduct).
All LRQA Nettitude penetration testers are accredited by CREST and have signed the code of conduct.
3
The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification
Documented scope and exceptions with work scoped, delivered, and signed off by qualified people.
Suitably qualified individuals
The list of suitably qualified individuals is owned and maintained region-by-region across the globe.
Each CREST Council has the responsibility for defining suitably qualified individuals based on the prevalence of cybersecurity training and certification schemes that exist in their market.
A CDPT could not be delivered by an organisation that was not accredited and that did not use suitably skilled and competent individuals.
What are the phases of a CDPT?
Scoping
The scoping phase is essential for ensuring that the CDPT aligns with the assurance goals and objectives of the buyer.
The scoping phase must present guidance on the full attack surface that is relevant to the application, system or environment that is to be assessed.
Scoping must be undertaken by a suitably skilled individual that has signed the CREST code of conduct.
Delivery / Execution
The delivery phase must be conducted by the CDPT’s accredited methodology.
It must be conducted by a suitably skilled individual that has signed the CREST code of conduct.
Sign-off
The sign-off phase must be undertaken by a suitably skilled or qualified individual, or by a company officer.
This phase is a formal attestation that the CDPT was conducted by the methodology and that the assessment was delivered against the agreed scope.
Reporting Requirements of a CDPT
Reporting requirements will vary according to:
1) The type of penetration test
2) The needs of the buyer
3) The regulatory environment (in which the organisation operates)
4) Further, emergent requirements
Complying with the CDPT Specification
When conducting a CDPT, there is a minimum set of expectations that must exist for the test to comply with the CDPT Specification.
The following non-exclusive list of reporting elements comprises only a minimum set of expectations for a CDPT:
- Details of the goals and objectives of the assignment
- Details of the scope of the assignment, including the location of the assessment, any exclusions or restrictions that applied to the assessment
- Full details of the results of the CDPT
- A timeline showing the key activities conducted during the CDPT
- Remediation advice should be provided for each vulnerability
- Evidence that each person involved in scoping, delivery and sign-off within the CDPT was suitably qualified
What are the benefits of using CREST-accredited companies?
Each member company has signed a code of conduct that warrants that they will conduct penetration tests per the methodology assessed as part of their accreditation process.
All CREST companies that are accredited against the penetration testing discipline have undergone the same rigorous review process. This is true irrespective of the size or location of the organisation.
Why choose LRQA Nettitude for a CDPT?
LRQA Nettitude are certified by a range of governing bodies for our work within highly regulated industries, in the financial sectors and the payment card industry and are approved as a Qualified Security Assessor (QSA) company
We practise what we preach and have the highest levels of rigour applied to all the risk management and security controls that are relevant to our organisation itself. We are certified against ISO 27001 and ISO 9001.
A World Leader in CREST Accreditations
We are proud to be one of the few global companies that is fully certified by The Council of Registered Ethical Security Testers (CREST) across all key disciplines.
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.
Launch of the CREST OVS
Initially, CREST launched a new service based around ASVS/MASVS services from OWASP called CREST OWASP Verification Standard (CREST OVS), which follows the CDPT specification.
Learn more about CREST OVS and LRQA Nettitude’s delivery of this service.
Learn More
General Enquiry
CREST Defensible Penetration Test (CDPT)
The CREST Defensible Penetration Test (CDPT) is a specification that provides recommendations on how penetration tests should be scoped, delivered, and signed off.
It has been created to provide greater guidance and clarity to organisations purchasing penetration testing services, as organisations can still lack clarity on how to procure a penetration test, what they should expect from a penetration test, and how a penetration test delivers assurance for an organisation.
CDPT provides a best practice framework for penetration testing
This guidance provides both a best practice framework for penetration test defensibility as well as an assurance of penetration tester competence in providing penetration testing services to clients.
It is not a methodology, but a process that any professional penetration test should follow.
The CDPT specification defines a minimum set of expectations associated with a penetration test
It allows for clients and service providers to work together to conduct penetration tests against legacy and emerging technologies, technology infrastructures, thick client, web and mobile applications, datacentres, mobile devices, or cloud security architectures.
This approach is designed to be commercially defensible, yet flexible and agile enough to support the cybersecurity industry in the years ahead.
How do I benefit from LRQA Nettitude using the CDPT specification?
LRQA Nettitude wraps the CDPT around our penetration testing services to ensure that the penetration tests that we provide to our clients are properly scoped, delivered, and signed off.
Our penetration testing services can be delivered to meet CDPT. This specification is designed to provide value for entities that want to procure a penetration test.
CDPT guides the key areas of importance, and it highlights the need for the following elements:
1
The need for penetration testing service providers to have appropriate policies, procedures, practices, and methodologies
CREST defines this as an Accredited organisation. LRQA Nettitude are one of only a handful of companies in the world that hold all of CREST’s accreditations.
2
The need for individuals involved in three key phases of a penetration test to have appropriate levels of skills, experience, and competency
CREST requires people involved in scoping, delivery, and sign-off to be both qualified and registered as skilled workers (i.e. they have signed the CREST code of conduct).
All LRQA Nettitude penetration testers are accredited by CREST and have signed the code of conduct.
3
The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification
Documented scope and exceptions with work scoped, delivered, and signed off by qualified people.
Suitably Qualified Individuals
The list of suitably qualified individuals is owned and maintained region-by-region across the globe.
Each CREST Council has the responsibility for defining suitably qualified individuals based on the prevalence of cybersecurity training and certification schemes that exist in their market.
A CDPT could not be delivered by an organisation that was not accredited and that did not use suitably skilled and competent individuals.
General Enquiry.
What are the phases of a CDPT?
Scoping
The scoping phase is essential for ensuring that the CDPT aligns with the assurance goals and objectives of the buyer.
The scoping phase must present guidance on the full attack surface that is relevant to the application, system or environment that is to be assessed.
Scoping must be undertaken by a suitably skilled individual that has signed the CREST code of conduct.
Delivery / Execution
The delivery phase must be conducted by the CDPT’s accredited methodology.
It must be conducted by a suitably skilled individual that has signed the CREST code of conduct.
Sign-off
The sign-off phase must be undertaken by a suitably skilled or qualified individual, or by a company officer.
This phase is a formal attestation that the CDPT was conducted by the methodology and that the assessment was delivered against the agreed scope.
Reporting Requirements of a CDPT
Reporting requirements will vary according to:
1) The type of penetration test
2) The needs of the buyer
3) The regulatory environment (in which the organisation operates)
4) Further, emergent requirements
Complying with the CDPT Specification
When conducting a CDPT, there is a minimum set of expectations that must exist for the test to comply with the CDPT Specification.
The following non-exclusive list of reporting elements comprises only a minimum set of expectations for a CDPT:
- Details of the goals and objectives of the assignment
- Details of the scope of the assignment, including the location of the assessment, any exclusions or restrictions that applied to the assessment
- Full details of the results of the CDPT
- A timeline showing the key activities conducted during the CDPT
- Remediation advice should be provided for each vulnerability
- Evidence that each person involved in scoping, delivery and sign-off within the CDPT was suitably qualified
What are the benefits of using CREST-accredited companies?
CREST Accredited Penetration Testing companies, like LRQA Nettitude, have been assessed against stringent membership criteria as part of the annual accreditation cycle.
Each member company has signed a code of conduct that warrants that they will conduct penetration tests per the methodology assessed as part of their accreditation process.
All CREST companies that are accredited against the penetration testing discipline have undergone the same rigorous review process. This is true irrespective of the size or location of the organisation.
Why choose LRQA Nettitude for a CDPT?
We are proud to be one of the few global companies that is certified by CREST across all key disciplines.
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In parallel, we were the first organisation to be accredited for our Security Operation Centre services.
We practise what we preach and have the highest levels of rigour applied to all the risk management and security controls that are relevant to our organisation itself. We are certified against ISO 27001 and ISO 9001.
Launch of the CREST OVS
Initially, CREST launched a new service based around ASVS/MASVS services from OWASP called CREST OWASP Verification Standard (CREST OVS), which follows the CDPT specification.
Learn more about CREST OVS and LRQA Nettitude’s delivery of this service.
Learn More
General Enquiry.