Singapore to license pentesters and managed infosec operators Cybersecurity service providers must for licenses to operate in Singapore, under new regulations launched by the country’s Cyber Security Agency (CSA) on Monday. The new licensing framework requires vendors that offer penetration testing, and/or managed security operations centers (SOC) to get a licenses, in recognition that …
The ridiculous point being made, Cav, was pentesters offering services concerning the security, and potentially the continued existence, of other companies being vetted and licensed. I.e. regulated to some degree, and penalised with fees they have to pay to third party others for their service to clients.
It’s all rather parasitic.
Any job has the opportunity to impair the security or existence of your employer. If you don't work in security, but you have access to the corporate office and/or network, you could do damage. You could also do damage by either failing to do your job competently or deliberately doing it to sabotage your employer. I don't think that's a good argument for requiring a license, as if you do so, the result will be the same: your employer will fire you and consider suing you for the damage caused.
There have been efforts to license nearly every profession in existence. Would you favor mandatory licenses for IT workers, support staff, programmers, or whatever job you have? Are there any jobs you wouldn't want to use that on?
If you do work in security, and are licensed, and have access to the corporate office and/or network and do damage by either failing to do your job competently or deliberately doing it to sabotage your employer, does your employer fire you and consider suing you and/or the licensing authorities for the damage caused?
Hmmmm?
Others would fundamentally disagree with you, HildyJ, and be somewhat perplexed that you would think a regulatory burden that potentially stifles innovation is something got right rather than a proposal gone seriously wrong ...... and therefore most unlikely to be successful in practice or welcomed in theory.
A good thing maybe, Cav, but you must admit surely, the chances of it being almighty successful are extremely slim at best, for the prizes and rewards offered and delivered whenever one knows what needs to be done and how to do it without any possible attribution being possible are just far too great and attractive an opportunity to resist and not exploit and expand services for/in for a whole host and great number of appreciative and generous customer clients/allies/partners
It’s only natural in that sort of business teeming with cowboys and pirates/private enterprise and bounty hunters.
That's already a crime. Pentesting without permission is no different from regular crimes, just as if I broke into your house without permission, whether I meant to take your stuff or demonstrate that your lock isn't good makes no difference. You don't need a law to eliminate that defense; it's invalid and thoroughly rejected.
I was thinking more bug bounty type affair. "I was trying to get google to pay me for the bug I found" as a defence for hacking google
There is the other one where pentesters are caught and the company denies employing them - though that is more the plot of movies than massively common
I feel a very explicit contract on the scope of each pen test would better serve the situation.
The new laws will remove the free lance bug hunters, which means less exploits being reported to proper vendors and more to those that will abuse them.
at least their motive sounds good.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
