back to article Singapore to license pentesters and managed infosec operators

Cybersecurity service providers must for licenses to operate in Singapore, under new regulations launched by the country’s Cyber Security Agency (CSA) on Monday. The new licensing framework requires vendors that offer penetration testing, and/or managed security operations centers (SOC) to get a licenses, in recognition that …

  1. amanfromMars 1 Silver badge

    Another virtual land/fiat money grab guaranteeing nothing good

    One would have thought that responsible licensees would be paid by Singapore rather than having to pay Singapore.

    1. Cav Bronze badge

      Re: Another virtual land/fiat money grab guaranteeing nothing good

      Another ridiculous comment. If you offer a service concerning the security, and potentially the continued existence, of other companies then you should be vetted and licensed. I.e. regulated to some degree.

      1. amanfromMars 1 Silver badge

        Re: Another virtual land/fiat money grab guaranteeing nothing good

        The ridiculous point being made, Cav, was pentesters offering services concerning the security, and potentially the continued existence, of other companies being vetted and licensed. I.e. regulated to some degree, and penalised with fees they have to pay to third party others for their service to clients.

        It’s all rather parasitic.

      2. doublelayer Silver badge

        Re: Another virtual land/fiat money grab guaranteeing nothing good

        Any job has the opportunity to impair the security or existence of your employer. If you don't work in security, but you have access to the corporate office and/or network, you could do damage. You could also do damage by either failing to do your job competently or deliberately doing it to sabotage your employer. I don't think that's a good argument for requiring a license, as if you do so, the result will be the same: your employer will fire you and consider suing you for the damage caused.

        There have been efforts to license nearly every profession in existence. Would you favor mandatory licenses for IT workers, support staff, programmers, or whatever job you have? Are there any jobs you wouldn't want to use that on?

        1. amanfromMars 1 Silver badge

          Another pertinent impertinent question to have answered

          If you do work in security, and are licensed, and have access to the corporate office and/or network and do damage by either failing to do your job competently or deliberately doing it to sabotage your employer, does your employer fire you and consider suing you and/or the licensing authorities for the damage caused?

  2. Anonymous Coward
    Thumb Up

    Seems reasonable

    They must have got something right. I can tell by the comments that it will be a "regulatory burden" and "potentially stifle innovation".

    It will allow Singapore to get a handle on companies that offer these services and the price of the licenses are minimal.

    1. amanfromMars 1 Silver badge

      Re: Seems reasonable @HildyJ

      Hmmmm?

      Others would fundamentally disagree with you, HildyJ, and be somewhat perplexed that you would think a regulatory burden that potentially stifles innovation is something got right rather than a proposal gone seriously wrong ...... and therefore most unlikely to be successful in practice or welcomed in theory.

      1. Cav Bronze badge

        Re: Seems reasonable @HildyJ

        Oh please. The idea is to stop random idiots and potential criminals offering these services with no oversight at all. That's a good thing.

        1. amanfromMars 1 Silver badge

          Re: Re: Seems reasonable @HildyJ

          A good thing maybe, Cav, but you must admit surely, the chances of it being almighty successful are extremely slim at best, for the prizes and rewards offered and delivered whenever one knows what needs to be done and how to do it without any possible attribution being possible are just far too great and attractive an opportunity to resist and not exploit and expand services for/in for a whole host and great number of appreciative and generous customer clients/allies/partners

          It’s only natural in that sort of business teeming with cowboys and pirates/private enterprise and bounty hunters.

  3. johnfbw

    Easier to prosecute hackers

    I guess it removes the defence in court if a hacker just claims to be pentesting - they will change the charges to unlicensed pentesting and throw them in jail

    1. doublelayer Silver badge

      Re: Easier to prosecute hackers

      That's already a crime. Pentesting without permission is no different from regular crimes, just as if I broke into your house without permission, whether I meant to take your stuff or demonstrate that your lock isn't good makes no difference. You don't need a law to eliminate that defense; it's invalid and thoroughly rejected.

      1. johnfbw

        Re: Easier to prosecute hackers

        I was thinking more bug bounty type affair. "I was trying to get google to pay me for the bug I found" as a defence for hacking google

        There is the other one where pentesters are caught and the company denies employing them - though that is more the plot of movies than massively common

  4. zb42

    I wonder if this is written to clearly include or clearly exclude random people at home participating in bug bounty programs.

  5. Anonymous Coward
    Anonymous Coward

    disagree

    I feel a very explicit contract on the scope of each pen test would better serve the situation.

    The new laws will remove the free lance bug hunters, which means less exploits being reported to proper vendors and more to those that will abuse them.

    at least their motive sounds good.

  6. Robert Helpmann??
    Childcatcher

    Doing the Necessary

    In the US, the requirement for contractors is usually one of having a particular set of certs, so on a practical level, it is much the same. The biggest difference would seem to be who you give your hard-earned to.

  7. YetAnotherJoeBlow

    Some regulation is OK.

    If mandatory, it should cost no more than a drivers license.

  8. paulr78

    In related news ....

    Commenters on "The Register" website will be required to prove that they over the age of eighteen, do NOT live with their parents and are not considered to be "on the spectrum". This requirement is expected to reduce the number of comments on the website by over 95%.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like