[devsecguy]

In the UK at least there has been a strong drive to regulate security companies through organisations like CREST and CHECK. The problem is that its an industry with a massive amount of hidden information. If somebody does a pen test on an corporate network and says "we didn't find any vulnerabilities" how does a company know if they have actually done a thorough check or if the network is genuinely secure?

Yes in an ideal world we wouldn't need certifications or exams or anything but this isn't an ideal world.

[tptacek]

I don't know what part of "there are no certificates required to do this kind of work" I'm failing to communicate. My last company was acquired by NCC Group, a UK public company, and I haven't met anyone from the UK side who was certified either.

[devsecguy]

I never once said that certifications are required to do this work though did I?