Security Testing is the testing of a network, system, product or design, against the specified security requirements and/or for vulnerabilities (penetration testing).
Security Testing focuses on examining and probing applications, systems, and networks for vulnerabilities. It might involve a wider set of issues, including:
If testing systems while they are in development or being updated, it is likely that this is a software development organisation or a consultancy that supports clients’ development work. If testing on completed and live systems, then this is probably a consultancy. In either case, work normally consists of fairly short projects, which may require travel to client sites to work in their secure environment.
When tests are carried out, it is important to be thorough and accurate in recording and documenting the results. Some of this broad range of testing work might mean working alone, but generally sharing the testing with colleagues. When flaws are found in software or hardware products, results are delivered to developers diplomatically, with accompanying advice on how better to secure it.
Understanding all the requirements that a piece of software of hardware must meet, allow for less-hands on but still technical work in the test environment, test data and test scripts for planned tests to be specified and produced.
To do all this, it is important to understand all the requires that a piece of software or hardware has to meet. This may involve reviewing the test products of colleagues and analyse and provide feedback on a test strategy or test plans.
If a role focuses on security testing, this may be done independently most of the time. However, there will be a need to present findings to close colleagues, managers, and, in some roles, to system managers or external clients. This primarily involves producing written reports, but on substantial testing projects, there may be a need to provide a verbal briefing as well.
Given the need to stay ahead of potential attackers, it is vital to keep knowledge and skills of vulnerabilities and threats up to date; most employers allow you time to do this.
Security Testing delivers a full range of testing work – from websites, mobile apps and infrastructure testing to social engineering.
In this specialism, you may:
The job titles for roles focused on Security Testing - whether for checking that a product complies with security requirements or for finding the vulnerabilities in a system or network - are not always specific. Some jobs which sound very general may largely be concerned with Security Testing.
For Security Testing roles, titles include:
A Security Testing role might earn between £40,000 and £65,000. The median figure in February 2021 was £68,000.
A senior Security Testing role might earn between £50,000 and £85,000. The median figure in February 2021 was £80,000.
These figures are dominated by the salaries for jobs in the larger cities of the UK; salaries elsewhere may be lower.
The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
Related knowledge – you will need a solid understanding of these areas
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Wider knowledge – these areas will help to provide context for your work
Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation.
For more experienced testers:
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
D1 – Internal and Statutory Audit
D2 – Compliance Monitoring and Controls Testing
D3 - Security Evaluation and Functionality Testing
D4 – Penetration Testing and conducting Simulated Attack Exercises
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role that has shown the required technical aptitude and an ability to focus on a complex technical task could, with additional specialist training, provide a good foundation for moving into this specialism. Examples include:
From a role in Security Testing, you might move to a role in another cyber security specialism:
Or, with experience, you might progress within this specialism to become a Security Testing Senior Practitioner.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below:
If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Security Testing can be found here