Abstract Details

<< Back to Schedule

9/27/2017  |   10:25 AM - 11:10 AM   |  Track 5 - Test and Verification

Training and Certifying Security Testers Beyond Penetration Testing

When asking senior-level executives or security administrators about the adequacy of their organizations’ information security defenses, most people will list things such as encryption, firewalls, malware protection, and so forth. When asked, “How effective are your defenses?” most people can’t give a definitive answer because the defenses have not been tested in a continuous and holistic way. Many people believe the status quo position that penetration testing is all that is needed to find security vulnerabilities. To help meet the need of training software testers and others in how to perform security testing as a specialty practice, the International Software Testing Qualifications Board (ISTQB) has developed an Advanced Level Security Tester syllabus and exam which leads to the CTAL-SEC designation. The American Software Testing Qualifications Board (ASTQB) administers this certification in the United States. The goal is to provide the information needed to train people in performing security testing at an advanced level. This syllabus is freely available and draws from sources such as NIST, CERT and OWASP to describe the in-depth knowledge needed to test the security of systems and applications of all types. This syllabus and certification covers the topic of penetration testing, but goes beyond penetration testing to test internal controls and procedures, identify vulnerabilities at the code level, perform security risk assessments, understand the tools available for security testing and how to design and conduct effective security tests. In this presentation, ASTQB board member Randall Rice, leader of the ISTQB Working Party that developed the syllabus, will present: • An overview of the ISTQB Advanced Security Tester syllabus topics • How the certification works • How this certification differs from other security certifications • How this certification is compatible with NICE’s ongoing efforts and how this relates to the various framework analyses already underway • The intended audience for the training • The value of the ISTQB Advanced Security Tester certifications to testers and to organizations

This presentation has not yet been uploaded.

No handouts have been uploaded.

Randall Rice (Primary Presenter), American Software Testing Qualifications Board (ASTQB), rrice@riceconsulting.com;
Randall (Randy) Rice is a leading author, speaker, consultant and practitioner in the field of software testing and software quality. He has over 38 years of experience in building and testing software projects in a variety of environments and has authored over 70 training courses in software testing, security testing and software engineering. Randy holds many ISTQB certifications; including all three ISTQB “core” Advanced Certifications, the Advanced Security Tester certification, Certified Mobile Tester, and Certified Agile Tester, Foundation Level. Randy is the chair of the ISTQB Advanced Security Tester Working Party that created the 2016 Advanced Security Tester Syllabus. He is also a director of the American Software Testing Qualifications Board (ASTQB). Randy is co-author with William E. Perry of the books, Surviving the Top Ten Challenges of Software Testing and Testing Dirty Systems. Randy is also principal consultant and trainer at Rice Consulting Services, Inc.

2017 Sponsors: IEEE and IEEE Computer Society