Certified Tester Security Tester (CT-SEC)

Overview

The ISTQB® Security Tester (CT-SEC) certification focuses on planning, performing, and evaluating security tests from multiple perspectives including risk, requirements, vulnerability, and human factors. It also covers security testing tools and standards.

Find exam provider
Find training provider

Audience

The Security Tester certification is aimed at people who have some experience in security testing and wish to further develop their expertise in security testing.

To gain this certification, candidates must hold the Certified Tester Foundation Level certificate and not less than 3 (three) years of relevant academic, practical, or consulting experience. Please contact an ISTQB® Member Board or Exam Provider to determine the specific practical experience criteria.

Content

ISTQB® Certified Tester – Security Tester (CT-SEC)

The Basis of Security Testing

Security Risk

Information
Security Policies and Procedures

Security Auditing and Its Role in Security Testing

Security Testing Purpose, Goals and Strategies

Introduction

The Purpose of Security Testing

The
Organizational
Context

Security Testing
Objectives

The Scope and
Coverage of Security Testing Objectives

Security Testing
Approaches

Improving the Security Testing
Practices

Security Testing
Processes

Security Test
Process
Definition

Security Test
Planning

Security Test
Design

Security Test
Execution

Security Test
Evaluation

Security Test
Maintenance

Security Testing Throughout the Software Lifecycle

The Role of Security Testing in a Software Lifecycle

The Role of
Security Testing in Requirements

The Role of
Security Testing in Design

The Role of
Security Testing in Implementation
Activities

The Role of Security Testing in System and Acceptance Test
Activities

The Role of Security Testing in Maintenance

Testing Security
Mechanisms

System
Hardening

Authentication and Authorization

Encryption

Firewalls and Network Zones

Intrusion Detection

Malware Scanning

Data
Obfuscation

Training

Human Factors in Security Testing

Understanding
the Attackers

Social
Engineering

Security
Awareness

Security Test
Evaluation and Reporting

Security Test
Evaluation

Security Test
Reporting

Security Testing
Tools

Types and Purposes of
Security Testing
Tools

Tool Selection

Standards and Industry Trends

Understanding
Security Testing
Standards

Applying Security
Standards

Industry Trends

Exam Structure

  • No. of Questions: 45
  • Passing Score: 52
  • Total Points: 80
  • Exam Length (mins): 120 (+25% Non-Native Language)

Business Outcomes

Advanced Level testers who have passed the “Advanced Security Tester” module exam should be able to accomplish the following Business Objectives:

  • Plan, perform and evaluate security tests from a variety of perspectives – policy-based, risk-based, standards-based, requirements-based and vulnerability-based.
  • Align security test activities with project lifecycle activities.
  • Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats and assess their severity levels.
  • Evaluate the existing security test suite and identify any additional security tests.
  • Analyze a given set of security policies and procedures, along with security test results, to determine effectiveness.
  • For a given project scenario, identify security test objectives based on functionality, technology attributes and known vulnerabilities.
  • Analyze a given situation and determine which security testing approaches are most likely to succeed in that situation.
  • Identify areas where additional or enhanced security testing may be needed.
  • Evaluate effectiveness of security mechanisms.
  • Help the organization build information security awareness.
  • Demonstrate the attacker mentality by discovering key information about a target, performing actions on a test application in a protected environment that a malicious person would perform, and understand how evidence of the attack could be deleted.
  • Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness.
  • Analyze and document security test needs to be addressed by one or more tools.
  • Analyze and select candidate security test tools for a given tool search based on specified needs.
  • Understand the benefits of using security testing standards and where to find them.

More Information

Training is available from Accredited Training Providers (classroom, virtual, and e-learning). We highly recommend attending accredited training as it ensures that an ISTQB® Member Board has assessed the materials for relevance and consistency against the syllabus.

Self-study, using the syllabus and recommended reading material, is also an option when preparing for the exam.

Holders of this certification may choose to proceed to other Core, Agile, or Specialist stream certifications.

Download Materials

Syllabus

ISTQB-CT-SEC_Syllabus_v1.0_2016

Sample Exams

ISTQB_CT-SEC_Sample-Exam-A-Questions_v1.1

ISTQB_CT-SEC_Sample-Exam-A-Answers_v1.1

Exam Structures and Rules

ISTQB_Exam-Structure-Tables_v1.9.1b

ISTQB_Exam-Structures-and-Rules_v1.1_3J4sh33