ISTQB CT-STE

Description

An ISTQB® Certified Security Test Engineer can:

• Understand fundamental security paradigms and their impact on security testing.
• Apply appropriate security testing techniques, recognizing their strengths and limitations.
• Contribute to the planning, design, and execution of security tests.
• Utilize security testing standards and best practices effectively.
• Adapt security testing activities to the specific organizational context.
• Align security testing with different development methods and software development lifecycles.
• Integrate security testing results into an Information Security Management System (ISMS) for active risk management.
• Collect, evaluate, and consolidate test results, producing a detailed report with all findings and evidence.
• Identify tooling requirements for security testing and assist in selecting the appropriate tools based on the required approach.

Chapter 1: Security Paradigms

• Asset Security Levels
  • Explain different security levels of assets and their corresponding protection level.
  • Explain the relationship between information sensitivity and security testing.
• Security Audits
  • Describe the role of security testing in the context of security audits.
• The Concept of Zero Trust
  • Explain the concept of Zero Trust.
  • Apply Zero Trust concept in security testing.
• Open-Source Software
  • Exemplify the concept of Open-Source Software (OSS) reuse in software development and its impacts on security testing.

Chapter 2: Security Test Techniques

• Applying Security test types according to a test context
  • Give examples of security test types according to the black-box, grey-box, or white-box security context.
  • Give examples of security test types according to dynamic security testing or static security testing.
• Applying Security test types according to a project and technical context
  • Apply security test cases, based on a given security test approach, along with identified functional and structural security risks.
  • Describe how to do recertification testing and reconciliation testing for identities and permissions.
  • Describe how to test Identity and access management control.
  • Describe how to test data protection control.
  • Describe how to test protective technology.

Chapter 3: The Security Test Process

• The Security Test Process
  • Explain different activities, tasks, and responsibilities within a security test process.
  • Understand the key elements and characteristics of an effective security test environment.
• Designing security tests
  • Give examples of security tests based on a given code base on component test levels.
  • Give examples of security tests based on design specifications on the component integration level.
  • Implement an end-to-end security test that validates one or more security requirements related to one or more business processes.

Chapter 4: Standards and Best Practices

• Introduction to standards and best practices
  • Explain different sources of test standards and best practices and their applicability.
• Apply necessary standards and best practices for security testing
  • Apply the concepts of OWASP, CVE, and CVSS and learn how to leverage them for security testing.
• Leveraging Standards and Best Practices
  • Explain the pros and cons of test oracles used for security testing.
  • Understand the pros and cons of using security best practices and standards.

Chapter 5: Adjusting To the Organizational Context

• The impact of organizational structures in the context of security testing
  • Analyze a given organizational context and determine which specific aspects to consider for security testing.
• The impact of regulations on security policies and how to test them.
  • Analyze the impact of regulations on security policies and how to test them.
• Analyze an attack scenario
  • Analyze an attack scenario (attack performed and discovered) and identify possible sources and motivations of the attack.

Chapter 6: Adjusting to Software Development Lifecycle Models

• The Effects from Different Software Development Lifecycle Models
  • Summarize why security testing activities should cover the software development lifecycle.
  • Analyze how different system development models impact security testing activities.
• Security Test during maintenance
  • Define and perform security regression tests and confirmation tests based on a system's change.
  • Analyze security testing results to determine the nature of a security vulnerability and its potential technical impact.

Chapter 7: Security Testing as Part of an Information Security Management System

• Acceptance Criteria for Security Testing
  • Understand acceptance criteria of security testing and how they influence selecting security testing approaches and test techniques.
• Input for an Information Security Management System
  • Understand the role of security testing for an effective information security management system.
• Improving an ISMS by Adjusted Security Testing
  • Evaluate ISMS maturity by bringing in different test approaches, new test objects, or improved coverage.
  • Understand measurability within an ISMS.

Chapter 8: Reporting Test Results

• Security Test Reporting
  • Understand the criticality of security testing results and how this affects their handling and communication.
• Identifying and Analyzing Vulnerabilities
  • Evaluate the results from a given security test to identify security vulnerabilities.
• Close Vulnerabilities
  • Evaluate different techniques for closing identified vulnerabilities.

Chapter 9: Security Test Tools

• Categorization of Security Test Tools
  • Analyze different use cases and apply categorizations for security testing tools.
• Selecting Security Testing Tools
• Understand the usage and concepts of dynamic security testing tools.
• Understand the usage and concepts of static security testing tools.