Advanced Security Tester Course Outline

Similar documents
Expert Test Manager: Operational Module Course Outline

Agile Tester Foundation E-learning Course Outline

Certified Tester. Expert Level. Modules Overview

Training and Certifying Security Testers Beyond Penetration Testing

Advanced Tester Certification Test Manager

Certificate Software Asset Management Essentials Syllabus. Version 2.0

CompTIA Cybersecurity Analyst+

Department of Management Services REQUEST FOR INFORMATION

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

ISTQB Expert Level. Introduction and overview

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

SERVICE TRANSITION ITIL INTERMEDIATE TRAINING & CERTIFICATION

ITIL Managing Across the Lifecycle (MALC)

ISTQB Advanced Level (CTAL)

ISTQB in a Nutshell. ISTQB Marketing Working Group. February 2012 v10

COURSE BROCHURE. ITIL - Intermediate Service Transition. Training & Certification

Device Discovery for Vulnerability Assessment: Automating the Handoff

ITIL - Lifecycle Service Transition Course

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

NCSF Foundation Certification

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Time Tested. Testing Improved. The Materials

CCISO Blueprint v1. EC-Council

ITIL Intermediate: Operational Support and Analysis Lesson Plan

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Certified Tester. Foundation Level. Overview

SECURITY TRAINING SECURITY TRAINING

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Maximum Security with Minimum Impact : Going Beyond Next Gen

Sage Data Security Services Directory

10 FOCUS AREAS FOR BREACH PREVENTION

The Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:

SIGS AFTERWORK EVENT. Security: which operational model for which scenario. Hotel Warwick - Geneva

COBIT 5 Implementation

ISO/IEC INTERNATIONAL STANDARD

ITIL Service Transition Lifecycle

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

BCS Level 4 Certificate in Cyber Security Introduction Syllabus QAN 603/0830/8

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Cybersecurity Auditing in an Unsecure World

"Charting the Course... ITIL 2011 Operations Support Analysis (OSA) Certification Program. Course Summary

COBIT 5 Foundation. Lesson Plan. Mock Exam: Duration: Language:

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Qualification Specification

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Carbon Black PCI Compliance Mapping Checklist

Protect Your Organization from Cyber Attacks

COURSE BROCHURE. ITIL - Expert Managing Across Lifecycle Training & Certification

TEL2813/IS2820 Security Management

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Session 5311 Critical Testing Programs for Security Operations

COURSE BROCHURE CISA TRAINING

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

CompTIA Security+ Study Guide (SY0-501)

The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

"Charting the Course... ITIL 2011 Service Offerings & Agreement (SOA) Certification Program. Course Summary

Automating the Top 20 CIS Critical Security Controls

ITIL - Managing Across Lifecycle Course

Protecting your data. EY s approach to data privacy and information security

Pearson CompTIA: Security+ SY0-401 (Course & Lab) Course Outline. Pearson CompTIA: Security+ SY0-401 (Course & Lab)

External Supplier Control Obligations. Cyber Security

CEH: CERTIFIED ETHICAL HACKER v9

SECURITY TESTING: THE MISSING LINK IN INFORMATION SECURITY

CISO as Change Agent: Getting to Yes

BCS Foundation Certificate in Software Asset Management Essentials Syllabus

PECB Change Log Form

ITIL 2011 Foundation Lesson Plan

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Development*Process*for*Secure* So2ware

Standard Course Outline IS 656 Information Systems Security and Assurance

CompTIA Security+ SY Course Outline. CompTIA Security+ SY May 2018

Qualification Specification for the Knowledge Modules that form part of the BCS Level 4 Software Developer Apprenticeship

BCS Specialist Certificate in Change Management Syllabus

Security Management Models And Practices Feb 5, 2008

Certified in the Governance of Enterprise IT Training - Brochure

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

ISTQB What next? Geoff Thompson Interim ISTQB President

BCS Level 3 Certificate in Programming Syllabus QAN 603/1192/7

BCM Program Development

Professional Qualifications for ITIL PRACTICES FOR SERVICE MANAGEMENT. The ITIL Foundation Certificate in IT Service Management SYLLABUS

Nebraska CERT Conference

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

ISSEP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

CCNA Cybersecurity Operations 1.1 Scope and Sequence

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

CertifiedAT - Version: 1. ISTQB Certified Agile Tester Foundation Level Extension

ITIL 2011 Overview - 1 Day (English and French)

Matt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.

ISM 324: Information Systems Security Spring 2014

Transcription:

Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion, you ll learn how to plan, perform, and evaluate security tests based on organizational security policies, security risks and standards, and common vulnerabilities, within the context of the project lifecycle. Using a running case study, you ll work through ways to analyze current and future security threats, the coverage of existing security tests against these threats, and the adequacy of security policies, procedures, and mechanisms. You ll determine what security tests are most important. You ll evaluate a particular security testing approach will succeed and suggest enhancements where needed. You ll learn ways to help your organization become more aware of security awareness, and practice thinking like a hacker so you can anticipate the bad guys moves with smart security tests. You ll explore options for reporting security test results that don t leak important information to those without a need to know, and also options for using tools to support your security test efforts. By the end of this course, an attendee should be able to: Plan, perform and evaluate security tests from a variety of perspectives policy-based, risk-based, standards-based, requirements-based and vulnerability-based. Align security test activities with project lifecycle activities. Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats and assess their severity levels. Evaluate the existing security test suite and identify any additional security tests. Analyze a given set of security policies and procedures, along with security test results, to determine effectiveness. For a given project scenario, identify security test objectives based on functionality, technology attributes and known vulnerabilities. ISTQB Advanced Security Tester (v1.0) 1 Copyright 2017, All Rights Reserved

Analyze a given situation and determine which security testing approaches are most likely to succeed in that situation. Identify areas where additional or enhanced security testing may be needed. Evaluate effectiveness of security mechanisms. Help the organization build information security awareness. Demonstrate the attacker mentality by discovering key information about a target, performing actions on a test application in a protected environment that a malicious person would perform, and understand how evidence of the attack could be deleted. Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness. Analyze and document security test needs to be addressed by one or more tools. Analyze and select candidate security test tools for a given tool search based on specified needs. Understand the benefits of using security testing standards and where to find them. Created by Rex Black, President of, Inc. (), past President of the International Software Testing Qualifications Board (www.istqb.org), past President of the American Software Testing Qualifications Board (www.astqb.org), and co-author of the International Software Testing Qualifications Board Advanced Syllabus, this course is also ideal for testers and test teams preparing for certification. It covers the International Software Testing Qualifications Board Advanced Level Syllabus Security Tester 2016, and has been accredited by an ISTQB-recognized National Board. Learning Objectives Through presentation, discussion, and hands-on exercises, attendees will learn to: Understand the role of risk assessment in supplying information for security test planning and design and aligning security testing with business needs Identify the significant assets to be protected, the value of each asset and the data required to assess the level of security needed for each asset Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats Understand the concept of security policies and procedures and how they are applied in information systems ISTQB Advanced Security Tester (v1.0) 2 Copyright 2017, All Rights Reserved

Analyze a given set of security policies and procedures along with security test results to determine effectiveness Understand the purpose of a security audit Understand why security testing is needed in an organization, including benefits to the organization such as risk reduction and higher levels of confidence and trust Understand how project realities, business constraints, software development lifecycle, and other considerations affect the mission of the security testing team Explain why security testing goals and objectives must align with the organization s security policy and other test objectives in the organization For a given project scenario, demonstrate the ability to identify security test objectives based on functionality, technology attributes and known vulnerabilities Understand the relationship between information assurance and security testing For a given project, demonstrate the ability to define the relationship between security test objectives and the need for strength of integrity of sensitive digital and physical assets Analyze a given situation and determine which security testing approaches are most likely to succeed Analyze a situation in which a given security testing approach failed, identifying the likely causes of failure For a given scenario, demonstrate the ability to identify the various stakeholders and illustrate the benefits of security testing for each stakeholder group Analyze KPIs (key performance indicators) to identify security testing practices needing improvement and elements not needing improvement For a given project, demonstrate the ability to define the elements of an effective security test process Analyze a given security test plan, giving feedback on strengths and weaknesses of the plan For a given project, implement conceptual (abstract) security tests, based on a given security test approach, along with identified functional and structural security risks Implement test cases to validate security policies and procedures ISTQB Advanced Security Tester (v1.0) 3 Copyright 2017, All Rights Reserved

Understand the key elements and characteristics of an effective security test environment Understand the importance of planning and obtaining approvals before performing any security test Analyze security test results to determine the following: Nature of security vulnerability; Extent of security vulnerability; Potential impact of security vulnerability; Suggested remediation; and, Optimal test reporting methods Understand the importance of maintaining security testing processes given the evolving nature of technology and threats Explain why security is best achieved within a lifecycle process Implement the appropriate security-related activities for a given software lifecycle (e.g., iterative, sequential) Analyze a given set of requirements from the security perspective to identify deficiencies Analyze a given design document from the security perspective to identify deficiencies Understand the role of security testing during component testing Implement component level security tests (abstract) given a defined coding specification Analyze the results from a given component level test to determine the adequacy of code from the security perspective Understand the role of security testing during component integration testing Implement component integration security tests (abstract) given a defined system specification Implement an end-to-end test scenario for security testing which verifies one or more given security requirements and tests a described functional process Demonstrate the ability to define a set of acceptance criteria for the security aspects of a given acceptance test Implement an end-to-end security retest/regression test approach based on a given scenario Understand the concept of system hardening and its role in enhancing security ISTQB Advanced Security Tester (v1.0) 4 Copyright 2017, All Rights Reserved

Demonstrate how to test the effectiveness of common system hardening mechanisms Understand the relationship between authentication and authorization and how they are applied in securing information systems Demonstrate how to test the effectiveness of common authentication and authorization mechanisms Understand the concept of encryption and how it is applied in securing information systems Demonstrate how to test the effectiveness of common encryption mechanisms Understand the concept of firewalls and the use of network zones and how they are applied in securing information systems Demonstrate how to test the effectiveness of existing firewall implementations and network zones Understand the concept of intrusion detection tools and how they are applied in securing information systems Demonstrate how to test the effectiveness of existing intrusion detection tool implementations Understand the concept of malware scanning tools and how they are applied in securing information systems Demonstrate how to test the effectiveness of existing malware scanning tool implementations Understand the concept of data obfuscation tools and how they are applied in securing information systems Demonstrate how to test the effectiveness of data obfuscation approaches Understand the concept of security training as a software lifecycle activity and why it is needed in securing information systems Demonstrate how to test the effectiveness of security training Explain how human behavior can lead to security risks and how it impacts the effectiveness of security testing For a given scenario, demonstrate the ability to identify ways in which an attacker could discover key information about a target and apply measures to protect the environment Explain the common motivations and sources for performing computer system attacks ISTQB Advanced Security Tester (v1.0) 5 Copyright 2017, All Rights Reserved

Analyze an attack scenario (attack performed and discovered) and identify possible sources and motivation for the attack Explain how security defenses can be compromised by social engineering Understand the importance of security awareness throughout the organization Given certain test outcomes, apply appropriate actions to increase security awareness Understand the need to revise security expectations and acceptance criteria as the scope and goals of a project evolve Understand the importance of keeping security test results confidential and secure Understand the need to create proper controls and data-gathering mechanisms to provide the source data for the security test status reports in a timely, accurate, and precise fashion (e.g., a security test dashboard) Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness Explain the role of static and dynamic analysis tools in security testing Analyze and document security testing needs to be addressed by one or more tools Understand the issues with open source tools Understand the need to evaluate the vendor s capabilities to update tools on a frequent basis to stay current with security threats Understand the benefits of using security testing standards and where to find them Understand the difference in applicability of standards in regulatory versus contractual situations Understand the difference between mandatory (normative) and optional (informative) clauses within any standard Understand where to learn of industry trends in information security ISTQB Advanced Security Tester (v1.0) 6 Copyright 2017, All Rights Reserved

Course Materials This course includes the following materials: Name Course Outline Noteset Foundation Sample Exam Questions Foundation Mock Exam Advanced Security Tester Sample Exam Questions s Advanced Security Tester Mock Exam Project Source Documents for Course s Bibliography and resources Description A general description of the course along with learning objectives, course materials and an outline of the course topics, including approximate timings for each section. A set of approximately 300 PowerPoint slides covering the topics to be addressed. A set of approximately 150 pages of review materials for the Foundation level covering every learning objective in the ISTQB Foundation Syllabus. A practice exam containing 40 questions and answers to provide a review of the ISTQB Foundation exam. A complete set of questions for every learning objective in the Test Analyst module of the ISTQB Advanced Syllabus. A set of exercises for the course, based on a realistic case study. A practice exam containing questions and answers to assess your readiness for the ISTQB Advanced exam. Specifications and documents used in the realistic case study used in exercises for the course. A set of further readings, Web sites, tools and other resources to help implement the concepts. The printed course materials are provided in a binder in a way which makes it convenient for course attendees to remove portions as needed for reference; e.g., during exercises. Session Plan The course runs for three days, with attendees encouraged to take the ISTQB Advanced Security Tester exam on the following day. Each day is about 360 minutes of class time, from 9:00 to 5:30. For accredited course offerings, material is covered as described. For custom courses, material may be deleted, added, or expanded upon as needed. ISTQB Advanced Security Tester (v1.0) 7 Copyright 2017, All Rights Reserved

Please note that timings are approximate, depending on attendee interest and discussion. All of the lectures include exercises and/or knowledge-check questions except as noted. The following shows this session plan in relationship to the chapters and sections of the ISTQB Advanced Syllabus Security Tester. Introduction and Review (60 minutes) 1. The Basis of Security Testing - 105 minutes 1.1 Security Risks 1.2 Information Security Policies and Procedures 1.3 Security Auditing and Its Role in Security Testing 2. Security Testing Purposes, Goals and Strategies - 130 minutes 2.1 Introduction 2.2 The Purpose of Security Testing 2.3 The Organizational Context 2.4 Security Testing Objectives 2.5 The Scope and Coverage of Security Testing Objectives 2.6 Security Testing Approaches 2.7 Improving the Security Testing Practices 3. Security Testing Processes - 140 minutes 3.1 Security Test Process Definition 3.2 Security Test Planning 3.3 Security Test Design 3.4 Security Test Execution 3.5 Security Test Evaluation 3.6 Security Test Maintenance 4. Security Testing Throughout the Software Lifecycle - 225 minutes 4.1 Role of Security Testing in a Software Lifecycle 4.2 The Role of Security Testing in Requirements 4.3 The Role of Security Testing in Design ISTQB Advanced Security Tester (v1.0) 8 Copyright 2017, All Rights Reserved

4.4 The Role of Security Testing in Implementation Activities 4.5 The Role of Security Testing in System and Acceptance Test Activities 4.6 The Role of Security Testing in Maintenance 5. Testing Security Mechanisms - 240 minutes 5.1 System Hardening 5.2 Authentication and Authorization 5.3 Encryption 5.4 Firewalls and Network Zones 5.5 Intrusion Detection 5.6 Malware Scanning 5.7 Data Obfuscation 5.8 Training 6. Human Factors in Security Testing - 105 minutes 6.1 Understanding the Attackers 6.2 Social Engineering 6.3 Security Awareness 7. Security Test Evaluation and Reporting - 70 minutes 7.1 Security Test Evaluation 7.2 Security Test Reporting 8. Security Testing Tools - 55 minutes 8.1 Types and Purposes of Security Testing Tools 8.2 Tool Selection 9. Standards and Industry Trends - 40 minutes 9.1 Understanding Security Testing Standards 9.2 Applying Security Standards 9.3 Industry Trends ISTQB Advanced Security Tester (v1.0) 9 Copyright 2017, All Rights Reserved

Recommended Readings The class materials include a bibliography of books related to software testing, software security, quality, and other topics of interest to the security test professional. ISTQB Advanced Security Tester (v1.0) 10 Copyright 2017, All Rights Reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback