The global skills and competency framework for the digital world

#1381 CORE PENT TEST overlaps to not draw sufficient differences between skill sets change request accepted

Testing, Penetration Testing and Testing skills have overlaps Level 6 CORE 6 review of implementation and use of standards and the effectiveness of operational and process controls PENT 6 seeking vulnerabilities across the full spectrum of organisation policies, processes Level 5 TEST 5 Defines and communicates the test strategy. Manages all test processes, including test plans, resources, costs, timescales, test deliverables and traceability. PENT 5 Defines and communicates the test strategy. Manages all test processes, and contributes to corporate security testing standards.

Testing, Penetration Testing and Conformance Review skills have overlaps e.g.

Level 6
CORE 6 review of implementation and use of standards and the effectiveness of operational and process controls
PENT 6 seeking vulnerabilities across the full spectrum of organisation policies, processes

Level 5
TEST 5 Defines and communicates the test strategy. Manages all test processes, including test plans, resources, costs, timescales, test deliverables and traceability.
PENT 5 Defines and communicates the test strategy. Manages all test processes, and contributes to corporate security testing standards.

The guidance notes for CORE ( "Conformance reviews can be applied in a number of areas such as - but not limited to - asset management, network security tools, firewalls and internet security, sustainability, real-time systems, application design and specific certifications. ") sound like the activities of PENT.

All three activities include test management.  Is consolidation appropriate?

Current status of this request: accepted

What we decided

This change request has been reviewed alongside other SFIA skills in the area of testing, quality assurance, conformance, audit. 

What we changed

PENT is restructured and descriptions improved to make some clearer distinctions. 

CORE has been retired, Quality assurance (QUAS) has been restructured and Audit (AUDT) has been added.

Miroslav Pavlovic
Mar 08, 2021 01:35 PM

Maybe TEST and PENT need to be fused in one skill. Penetration testing is a testing method (in the broader sense is software quality control technique), not a skill. And after that resolve overlapping with CORE.

Matthew Burrows
Mar 11, 2021 08:45 AM

We don't need to resolve all overlaps - they are inevitable. We definitely shouldn't merge TEST and PENT - this will cause issues when people assess themselves, with some people not selecting the skill because they never do penetration testing. PENT is an applied form of testing that is very specialist, which justifies the separate skill. TEST is more generic and more widely applicable.

Miroslav Pavlovic
Mar 15, 2021 02:31 PM

I agree. We don't need to resolve all overlaps. But the same logic applies to the smoke test, border testing, integration testing, stress testing (to mention some), and other testing methods. All of them are different objectives and can be specialized.

Miroslav Pavlovic
Mar 15, 2021 04:04 PM

All of them have different objectives and can be specialized.

Miroslav Pavlovic
Mar 15, 2021 03:26 PM

To delimit well between PENT and CORE (I think), we need to start from the penetration test definition. Here is one from - The UK National Cyber Security Center. They describe penetration testing as: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might." Other definitions are similar, and all are related to information systems or software and networks.

According to my knowledge, the conformance review has a broader scope than TEST and PENT. It looks like that the overall description of the CORE skill point to conformance testing (QUAS, TEST, and PENT skill already cover this. I hope that I'm not missing some skill related to quality), maybe the CORE skill need to be redefined.