Security Testing focuses on examining and probing applications, systems, and networks for vulnerabilities. It might involve a wider set of issues, including: 

• planning and carrying out scripted tests of hardware or software components 
• planning and executing incident response 

If testing systems while they are in development or being updated, it is likely that this is a software development organisation or a consultancy that supports clients’ development work. If testing on completed and live systems, then this is probably a consultancy. In either case, work normally consists of fairly short projects, which may require travel to client sites to work in their secure environment. 

When tests are carried out, it is important to be thorough and accurate in recording and documenting the results. Some of this broad range of testing work might mean working alone, but generally sharing the testing with colleagues. When flaws are found in software or hardware products, results are delivered to developers diplomatically, with accompanying advice on how better to secure it. 

Understanding all the requirements that a piece of software of hardware must meet, allow for less-hands on but still technical work in the test environment, test data and test scripts for planned tests to be specified and produced. 

To do all this, it is important to understand all the requires that a piece of software or hardware has to meet. This may involve reviewing the test products of colleagues and analyse and provide feedback on a test strategy or test plans. 

If a role focuses on security testing, this may be done independently most of the time. However, there will be a need to present findings to close colleagues, managers, and, in some roles, to system managers or external clients. This primarily involves producing written reports, but on substantial testing projects, there may be a need to provide a verbal briefing as well. 

Given the need to stay ahead of potential attackers, it is vital to keep knowledge and skills of vulnerabilities and threats up to date; most employers allow you time to do this. 

Security Testing delivers a full range of testing work – from websites, mobile apps and infrastructure testing to social engineering. 

In this specialism, you may:  

• test software and hosted platforms, to identify vulnerabilities 
• carry out penetration testing of web applications, mobile applications, and internal infrastructure 
• analyse code to assess its level of security and to find specific vulnerabilities 

• manage the security testing process 
• participate in complex simulated attacks on networks or systems 
• work with other specialists, such as Cyber Threat Intelligence analysts, to keep updated with the latest threats/vulnerabilities 
• produce written technical reports to a professional standard, for clients 
• research potential vulnerabilities 

• research potential new security mechanisms or methods, and develop promising options 
• formally brief clients and colleagues 

Job Titles 

The job titles for roles focused on Security Testing - whether for checking that a product complies with security requirements or for finding the vulnerabilities in a system or network - are not always specific. Some jobs which sound very general may largely be concerned with Security Testing. 

For Security Testing roles, titles include: 

• Cyber Security Consultant 
• Cyber Penetration Test Specialist 
• Ethical Hacker 
• Information Security Specialist 
• Penetration Tester 

• Penetration Test Consultant 
• Security Consultant 

Salaries 

A Security Testing role might earn between £40,000 and £65,000. The median figure in February 2021 was £68,000. 

A senior Security Testing role might earn between £50,000 and £85,000. The median figure in February 2021 was £80,000. 

These figures are dominated by the salaries for jobs in the larger cities of the UK; salaries elsewhere may be lower.  

The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Security Testing. 

Core knowledge – you will need a very good understanding of these areas 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Software Security 

Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems. 

Malware & Attack Technologies 

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches. 

Secure Software Lifecycle 

The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default. 

Related knowledge – you will need a solid understanding of these areas 

Law & Regulation 

International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models. 

Wider knowledge – these areas will help to provide context for your work 

Adversarial Behaviours 

Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation. 

Skills 

Personal attributes 

• remaining calm under pressure 
• good communication skills, with the ability to explain technical issues in a non-technical way, verbally and in writing 
• influencing internal stakeholders and clients, including those with very different levels of technical knowledge 

• working to deadlines and prioritising work appropriately 
• working independently and sometimes remotely while remaining part of a team 
• willingness to learn and develop skills 
• willingness to share knowledge with colleagues 
• self-discipline to stay strictly within the project scope 

• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills  

• using common vulnerability scanning and penetration testing tools, such as NMAP, NESSUS, SQLMAP and Burp Suite 
• writing test plans 
• producing test data 

• secure code analysis 
• internal and external penetration testing 
• programming and scripting 
• penetration testing simulations such as Hack the Box, Try Hack Me or other Capture the Flag websites 
• web applications and networking 

• application of the Data Protection Act 2018 

For more experienced testers: 

• adversary emulation 
• reverse-engineering 
• researching emerging technologies 

• applications, operating systems, database management and secure operations 
• proficiency in cyber security frameworks such as NIST SP 800-15 
• implementing and auditing security measures and incident management 
• carrying out vulnerability scanning beyond the scope of standard tools 
• exploit development 

• project management standards, methods and tools 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

D1 – Internal and Statutory Audit  

Principles: 

• verifies that information systems and processes meet the security criteria (requirements or policy, standards and procedures) 

• assesses the business benefits of security controls 

D2 – Compliance Monitoring and Controls Testing  

Principles: 

• defines and implements processes to verify on-going conformance to security and/or legal and regulatory requirements 
• carries out security compliance checks in accordance with an appropriate methodology 

• this Skill Group covers compliance checks and tests against technical, physical, procedural and personnel controls 

D3 - Security Evaluation and Functionality Testing  

Principles: 

• contributes to the security evaluation or testing of software 
• evaluates security software by analysing the design documentation and code to identify potential vulnerabilities and testing to ascertain whether these are exploitable 

• tests the security functionality of systems or applications for correctness in line with security policies, standards and procedures and advises on corrective measures 
• applies recognised evaluation/testing methodologies, tools and techniques, developing new ones where appropriate 
• assesses the robustness of a system, product or technology 
• applies commonly accepted governance practices and standards when testing in an operational environment 

D4 – Penetration Testing and conducting Simulated Attack Exercises 

Principles: 

• contributes to the scoping and conduct of vulnerability assessments and tests for public domain vulnerabilities and assessment of the potential for exploitation, where appropriate by conducting exploits; reports potential issues and mitigation options 
• contributes to the review and interpretation of reports; coordinates and manages Remediation Action Plan (RAP) responses 
• this Skill Group covers, but is not limited to, penetration testing against networks and infrastructures, web applications, mobile devices and control systems 
• this Skill Group also covers contributing to the conduct of testing and simulated attack exercises based on scenarios derived from threat intelligence, potential threat agents and their capabilities 

• predicts and prioritises threats to an organisation and their methods of attack 
• uses human factor analysis in the assessment of threats 
• uses threat intelligence to develop attack trees 
• prepares and disseminates intelligence reports providing threat indicators and warnings 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role that has shown the required technical aptitude and an ability to focus on a complex technical task could, with additional specialist training, provide a good foundation for moving into this specialism. Examples include: 

• medical diagnostic specialisms 

• engineering (mechanical, production, chemical, electrical, civil) 
• some technical or physical security roles 
• bug-hunting, including for bounty programmes 

Linked Specialisms 

• Secure System Architecture and Design 
• Secure System Development 

Moving On 

From a role in Security Testing, you might move to a role in another cyber security specialism: 

• Cyber Threat Intelligence 
• Incident Response 
• Digital Forensics 
• Cyber Security Audit & Assurance 
• Cyber Security Governance & Risk Management 

Or, with experience, you might progress within this specialism to become a Security Testing Senior Practitioner. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

William Wright is the CEO of Closed Door Security. In this recorded webinar, he talks more about the Security Testing specialism and what a typical day looks like.

If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Security Testing can be found here

If you're looking for more information about the CHECK scheme, click here.