To achieve the professional designation of ISTQB Certified Tester Security Tester from the ISTQB, candidates must clear the CT-SEC Exam with the minimum cut-off score. For those who wish to pass the ISTQB Security Tester certification exam with good percentage, please take a look at the following reference document detailing what should be included in ISTQB CTFL - Security Tester Exam preparation.
The ISTQB CT-SEC Exam Summary, Body of Knowledge (BOK), Sample Question Bank and Practice Exam provide the basis for the real ISTQB Certified Tester Foundation Level - Security Tester (CT-SEC) exam. We have designed these resources to help you get ready to take ISTQB Certified Tester Security Tester (CT-SEC) exam. If you have made the decision to become a certified professional, we suggest you take authorized training and prepare with our online premium ISTQB Security Tester Practice Exam to achieve the best result.
ISTQB CT-SEC Exam Summary:
| Exam Name | ISTQB Certified Tester Security Tester |
| Exam Code | CT-SEC |
| Exam Fee | USD $265 |
| Exam Duration | 120 Minutes |
| Number of Questions | 45 |
| Passing Score | 52/80 |
| Format | Multiple Choice Questions |
| Schedule Exam | Pearson VUE |
| Sample Questions | ISTQB CTFL - Security Tester Exam Sample Questions and Answers |
| Practice Exam | ISTQB Certified Tester Foundation Level - Security Tester (CT-SEC) Practice Test |
ISTQB Security Tester Syllabus Topics:
| Topic | Details |
|---|---|
The Basis of Security Testing - 105 mins. |
|
| Security Risks |
- Understand the role of risk assessment in supplying information for security test planning and design and aligning security testing with business needs - Identify the significant assets to be protected, the value of each asset and the data required to assess the level of security needed for each asset - Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats |
| Information Security Policies and Procedures |
- Understand the concept of security policies and procedures and how they are applied in information systems - Analyze a given set of security policies and procedures along with security test results to determine effectiveness |
| Security Auditing and Its Role in Security Testing | - Understand the purpose of a security audit |
Security Testing Purposes, Goals and Strategies - 130 mins. |
|
| Introduction | |
| The Purpose of Security Testing | - Understand why security testing is needed in an organization, including benefits to the organization such as risk reduction and higher levels of confidence and trust |
| The Organizational Context | - Understand how project realities, business constraints, software development lifecycle, and other considerations affect the mission of the security testing team |
| Security Testing Objectives |
- Explain why security testing goals and objectives must align with the organization's security policy and other test objectives in the organization - For a given project scenario, demonstrate the ability to identify security test objectives based on functionality, technology attributes and known vulnerabilities - Understand the relationship between information assurance and security testing |
| The Scope and Coverage of Security Testing Objectives | - For a given project, demonstrate the ability to define the relationship between security test objectives and the need for strength of integrity of sensitive digital and physical assets |
| Security Testing Approaches |
- Analyze a given situation and determine which security testing approaches are most likely to succeed - Analyze a situation in which a given security testing approach failed, identifying the likely causes of failure - For a given scenario, demonstrate the ability to identify the various stakeholders and illustrate the benefits of security testing for each stakeholder group |
| Improving the Security Testing Practices | - Analyze KPIs (key performance indicators) to identify security testing practices needing improvement and elements not needing improvement |
Security Testing Processes - 140 mins. |
|
| Security Test Process Definition | - For a given project, demonstrate the ability to define the elements of an effective security test process |
| Security Test Planning | - Analyze a given security test plan, giving feedback on strengths and weaknesses of the plan |
| Security Test Design |
- For a given project, implement conceptual (abstract) security tests, based on a given security test approach, along with identified functional and structural security risks - Implement test cases to validate security policies and procedures |
| Security Test Execution |
- Understand the key elements and characteristics of an effective security test environment - Understand the importance of planning and obtaining approvals before performing any security test |
| Security Test Evaluation |
- Analyze security test results to determine the following:
|
| Security Test Maintenance | - Understand the importance of maintaining security testing processes given the evolving nature of technology and threats |
Security Testing Throughout the Software Lifecycle - 225 mins. |
|
| Role of Security Testing in a Software Lifecycle |
- Explain why security is best achieved within a lifecycle process - Implement the appropriate security-related activities for a given software lifecycle (e.g., iterative, sequential) |
| The Role of Security Testing in Requirements | - Analyze a given set of requirements from the security perspective to identify deficiencies |
| The Role of Security Testing in Design | - Analyze a given design document from the security perspective to identify deficiencies |
| The Role of Security Testing in Implementation Activities |
- Understand the role of security testing during component testing - Implement component level security tests (abstract) given a defined coding specification - Analyze the results from a given component level test to determine the adequacy of code from the security perspective - Understand the role of security testing during component integration testing - Implement component integration security tests (abstract) given a defined system specification |
| The Role of Security Testing in System and Acceptance Test Activities |
- Implement an end-to-end test scenario for security testing which verifies one or more given security requirements and tests a described functional process - Demonstrate the ability to define a set of acceptance criteria for the security aspects of a given acceptance test |
| The Role of Security Testing in Maintenance | - Implement an end-to-end security retest/regression test approach based on a given scenario |
Testing Security Mechanisms - 240 mins. |
|
| System Hardening |
- Understand the concept of system hardening and its role in enhancing security - Demonstrate how to test the effectiveness of common system hardening mechanisms |
| Authentication and Authorization |
- Understand the relationship between authentication and authorization and how they are applied in securing information systems - Demonstrate how to test the effectiveness of common authentication and authorization mechanisms |
| Encryption |
- Understand the concept of encryption and how it is applied in securing information systems - Demonstrate how to test the effectiveness of common encryption mechanisms |
| Firewalls and Network Zones |
- Understand the concept of firewalls and the use of network zones and how they are applied in securing information systems - Demonstrate how to test the effectiveness of existing firewall implementations and network zones |
| Intrusion Detection |
- Understand the concept of intrusion detection tools and how they are applied in securing information systems - Demonstrate how to test the effectiveness of existing intrusion detection tool implementations |
| Malware Scanning |
- Understand the concept of malware scanning tools and how they are applied in securing information systems - Demonstrate how to test the effectiveness of existing malware scanning tool implementations |
| Data Obfuscation |
- Understand the concept of data obfuscation tools and how they are applied in securing information systems - Demonstrate how to test the effectiveness of data obfuscation approaches |
| Training |
- Understand the concept of security training as a software lifecycle activity and why it is needed in securing information systems - Demonstrate how to test the effectiveness of security training |
Human Factors in Security Testing - 105 mins. |
|
| Understanding the Attackers |
- Explain how human behavior can lead to security risks and how it impacts the effectiveness of security testing - For a given scenario, demonstrate the ability to identify ways in which an attacker could discover key information about a target and apply measures to protect the environment - Explain the common motivations and sources for performing computer system attacks - Analyze an attack scenario (attack performed and discovered) and identify possible sources and motivation for the attack |
| Social Engineering | - Explain how security defenses can be compromised by social engineering |
| Security Awareness |
- Understand the importance of security awareness throughout the organization - Given certain test outcomes, apply appropriate actions to increase security awareness |
Security Test Evaluation and Reporting - 70 mins. |
|
| Security Test Evaluation | - Understand the need to revise security expectations and acceptance criteria as the scope and goals of a project evolve |
| Security Test Reporting |
- Understand the importance of keeping security test results confidential and secure - Understand the need to create proper controls and data-gathering mechanisms to provide the source data for the security test status reports in a timely, accurate, and precise fashion (e.g., a security test dashboard) - Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness |
Security Testing Tools - 55 mins |
|
| Types and Purposes of Security Testing Tools | - Explain the role of static and dynamic analysis tools in security testing |
| Tool Selection |
- Analyze and document security testing needs to be addressed by one or more tools - Understand the issues with open source tools - Understand the need to evaluate the vendor’s capabilities to update tools on a frequent basis to stay current with security threats |
Standards and Industry Trends - 40 mins. |
|
| Understanding Security Testing Standards |
- Understand the benefits of using security testing standards and where to find them - Understand the difference in applicability of standards in regulatory versus contractual situations |
| Applying Security Standards | - Understand the difference between mandatory (normative) and optional (informative) clauses within any standard |
| Industry Trends | - Understand where to learn of industry trends in information security |
Both ISTQB and veterans who’ve earned multiple certifications maintain that the best preparation for a ISTQB CT-SEC professional certification exam is practical experience, hands-on training and practice exam. This is the most effective way to gain in-depth understanding of ISTQB CTFL - Security Tester concepts. When you understand techniques, it helps you retain ISTQB Security Tester knowledge and recall that when needed.