Course Duration: 3 Days

Course Category: Software Testing

 

21 PDUs (Professional Development Units)

ISTQB Certified Tester Advanced Level (CTAL) – Security Tester

 

About the Program The ISTQB (International Software Testing Qualifications Board) advanced level certifications are part of the ISTQB internationally recognised software testing qualifications that include the following certifications:
 
Certified Tester Foundation Level (CTFL)
Certified Tester Advanced Level (CTAL)
&
Certified Tester Expert Level.
 
The Certified Tester Advanced Level comprises of three distinct core certifications namely Test Manager, Test Analyst and Technical Test Analyst and two specialist certifications, Security Tester and Test Automation Engineer.

 

Course Objectives To provide an understanding of security testing issues that goes beyond the ISTQB Foundation level. Giving participants the knowledge and skills required to become an Advanced Security Tester.

 

Skills Gained An Advanced Security Tester can help:

  • Plan, perform and evaluate security tests from a variety of perspectives – policy-based, risk-based, standards-based, requirements-based and vulnerability-based.
  • Align security test activities with project lifecycle activities.
  • Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats and assess their severity levels.
  • Evaluate the existing security test suite and identify any additional security tests.
  • Analyze a given set of security policies and procedures, along with security test results, to determine effectiveness.
  • For a given project scenario, identify security test objectives based on functionality, technology attributes and known vulnerabilities.
  • Analyze a given situation and determine which security testing approaches are most likely to succeed in that situation.
  • Identify areas where additional or enhanced security testing may be needed.
  • Evaluate effectiveness of security mechanisms.
  • Help the organization build information security awareness.
  • Demonstrate the attacker mentality by discovering key information about a target, performing actions on a test application in a protected environment that a malicious person would perform, and understand how evidence of the attack could be deleted.
  • Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness.
  • Analyze and document security test needs to be addressed by one or more tools.
  • Analyze and select candidate security test tools for a given tool search based on specified needs.
  • Understand the benefits of using security testing standards and where to find them.

 

Pre-Requisites A candidate aspiring to take the Security Tester advanced level qualification must have successfully completed the ISTQB-BCS Certified Tester Foundation Level which was earlier known as ISEB Foundation Certificate in Software Testing or the ISTQB Certified Tester Foundation Level (CTFL) and have sufficient practical experience to be certified at Advanced Level, which should be not less than 3 (three) years of relevant academic, practical, or consulting experience.

There are no pre-requisites to attending the course only for education and knowledge purposes.

 

Who will Benefit This 3-day course is most appropriate for Testers, Test Analysts, Test Engineers, Test Consultants, Software Developers and anyone who possess some experience in security testing and wishes to build on that knowledge.

 

Training and Exam Duration Training: 3 days
The course material shall be issued on the first day of the course during registration.

Exam: 120 minutes (2 hours) duration
 
Exam Pattern

The CTAL- Security Tester exam consists of 45 multiple choice questions that total to 80 marks.

The questions are of differing difficulty and therefore assigned differing amounts of points. The exam is closed-book, i.e. no materials are allowed to be used. The candidate must achieve at least 65% (52 out of 80) of the total score possible.

 

Course Outline

Introduction

 

The Basis of Security Testing

  • Security Risks
    • The Role of Risk Assessment in Security Testing
    • Asset Identification
    • Analysis of Risk Assessment Techniques
  • Information Security Policies and Procedures
    • Understanding Security Policies and Procedures
    • Analysis of Security Policies and Procedures
  • Security Auditing and Its Role in Security Testing
    • Purpose of a Security Audit
    • Risk Identification, Assessment and Mitigation
    • People, Process and Technology

Security Testing Purposes, Goals and Strategies

  • Introduction
  • The Purpose of Security Testing
  • The Organizational Context
  • Security Testing Objectives
    • The Alignment of Security Testing Goals
    • Identification of Security Test Objectives
    • The Difference Between Information Assurance and Security Testing
  • The Scope and Coverage of Security Testing Objectives
  • Security Testing Approaches
    • Analysis of Security Test Approaches
    • Analysis of Failures in Security Test Approaches
    • Stakeholder Identification
  • Improving the Security Testing Practices

Security Testing Processes

  • Security Test Process Definition
    • ISTQB Security Testing Process
    • Aligning the Security Testing Process to a Particular Application Lifecycle Model
  • Security Test Planning
    • Security Test Planning Objectives
    • Key Security Test Plan Elements
  • Security Test Design
    • Security Test Design
    • Security Test Design Based on Policies and Procedures
  • Security Test Execution
    • Key Elements and Characteristics of an Effective Security Test Environment
    • The Importance Of Planning and Approvals in Security Testing
  • Security Test Evaluation
  • Security Test Maintenance

 

Security Testing Throughout the Software Lifecycle

  • The Role of Security Testing in a Software Lifecycle
    • The Lifecycle View of Security Testing
    • Security-Related Activities in the Software Lifecycle
  • The Role of Security Testing in Requirements
  • The Role of Security Testing in Design
  • The Role of Security Testing in Implementation Activities
    • Security Testing During Component Testing
    • Security Test Design at the Component Level
    • Analysis of Security Tests at the Component Level
    • Security Testing During Component Integration Testing
    • Security Test Design at the Component Integration Level
  • The Role of Security Testing in System and Acceptance Test Activities
    • The Role of Security Testing in System Testing
    • The Role of Security Testing in Acceptance Testing
  • The Role of Security Testing in Maintenance

Testing Security Mechanisms

  • System Hardening
    • Understanding System Hardening
    • Testing the Effectiveness of System Hardening Mechanisms
  • Authentication and Authorization
    • The Relationship Between Authentication and Authorization
    • Testing the Effectiveness of Authentication and Authorization Mechanisms
  • Encryption
    • Understanding Encryption
    • Testing the Effectiveness of Common Encryption Mechanisms
  • Firewalls and Network Zones
    • Understanding Firewalls
    • Testing Firewall Effectiveness
  • Intrusion Detection
    • Understanding Intrusion Detection Tools
    • Testing the Effectiveness of Intrusion Detection Tools
  • Malware Scanning
    • Understanding Malware Scanning Tools
    • Testing the Effectiveness of Malware Scanning Tools
  • •    Data Obfuscation
    • Understanding Data Obfuscation
    • Testing the Effectiveness of Data Obfuscation Approaches
  • •    Training
    • The Importance of Security Training
    • How to Test the Effectiveness of Security Training

 

Human Factors in Security Testing

  • Understanding the Attackers
    • The Impact of Human Behavior on Security Risks
    • Understanding the Attacker Mentality
    • Common Motivations and Sources of Computer System Attacks
    • Understanding Attack Scenarios and Motivations
  • Social Engineering
  • Security Awareness
    • The Importance of Security Awareness
    • Increasing Security Awareness

Security Test Evaluation and Reporting

  • Security Test Evaluation
  • Security Test Reporting
    • Confidentiality of Security Test Results
    • Creating Proper Controls and Data Gathering Mechanisms for Reporting Security Test Status
    • o    Analyzing Interim Security Test Status Reports

Security Testing Tools

  • Types and Purposes of Security Testing Tools
  • Tool Selection
  • Analyzing and Documenting Security Testing Needs
  • Issues with Open Source Tools
  • Evaluating a Tool Vendor’s Capabilities

Standards and Industry Trends

  • Understanding Security Testing Standards
    • The Benefits of Using Security Testing Standards
    • Applicability of Standards in Regulatory Versus Contractual Situations
    • Selection of Security Standards
  • Applying Security Standards
  • Industry Trends
    • Where to Learn of Industry Trends in Information Security
    • Evaluating Security Testing Practices for Improvement
       

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <font color="" face="" size=""> <span style="">

PMI, PMP, PMBOK, CAPM, PMI-ACP and the Registered Education Provider logo are registered marks of the Project Management Institute, Inc.
CMMI®, Capability Maturity Model®, Capability Maturity Modeling®, CMM®, PCMM® and Carnegie Mellon® are registered in the US Patent and Trademark Office by Carnegie Mellon University.
ISTQB® is a Registered Trade Mark of the International Software Testing Qualifications Board.
IIBA®, BABOK® and Business Analysis Body of Knowledge® are registered trademarks owned by International Institute of Business Analysis. CBAP® and CCBA® are registered certification marks owned by International Institute of Business Analysis. Certified Business Analysis Professional, Certification of Competency in Business Analysis, Endorsed Education Provider, EEP and the EEP logo are trademarks owned by International Institute of Business Analysis.
The APMG-International Agile Project Management, AgilePM and Swirl Device logos are trademarks of The APM Group Limited.
PRINCE2®, ITIL®, IT Infrastructure Library®, and MSP® are registered trademarks of AXELOS Limited. The Swirl logo™ is a trade mark of AXELOS Limited.
The ITIL Licensed Affiliate logo is a trademark of AXELOS Limited.
SCRUM Alliance REP SM is a service mark of Scrum Alliance, Inc.