More about a career in Security Testing
Depending on the type of organisation for which you work, your work is focused on testing - particularly by examining and probing applications, systems and networks - for vulnerabilities. It might involve a wider set of issues, including, on one side, planning and carrying out scripted tests of hardware or software components; on the other side, you may plan and execute incident response/Red Team exercises.
If you test systems while they are in development or being updated, it's likely you work in a software development organisation or for a consultancy that supports clients’ development work. If, as a penetration tester, you test completed and live systems, you probably work for a consultancy. In either case, your work normally consists of fairly short projects - of a few weeks at most - and, in normal circumstances, requires you to travel to client sites to work in their secure environment.
When you carry out tests, you are thorough and accurate in recording and documenting the results. Some of this broad range of testing work means working on your own, but you generally share the testing with colleagues. When you find flaws in software or hardware products, you deliver the results to the developers diplomatically, with any accompanying advice on how better to secure it.
You may carry out less hands-on but still technical work, such as specifying and producing the test environment, test data and test scripts for planned tests. To do this, you understand all the requirements that a piece of software or hardware has to meet. You may review the test products of colleagues and analyse and provide feedback on a test strategy or test plans.
If your role focuses on penetration testing, you may work independently much of the time. However, you present your findings to close colleagues, managers and, in some roles, to system managers or external clients. This primarily involves producing written reports but, on substantial testing projects, you probably need to provide a verbal briefing as well.
Given the need to stay ahead of potential attackers, you keep your knowledge and skills of vulnerabilities and threats up to date; most employers allow you time to do this.
Overall, a Security Tester is involved with or delivers a full range of testing work - from websites, mobile apps and infrastructure testing, to social engineering and Red Teaming.
In detail, you might:
- test software and hosted platforms, to identify vulnerabilities
- carry out penetration testing of web applications, mobile applications and internal infrastructure
- analyse code to assess its level of security and to find specific vulnerabilities
- manage the security testing process
- participate in complex simulated attacks (Red Team exercises) on networks or systems
- work with other specialists, such as Cyber Threat Intelligence analysts, to keep updated with the latest threats/vulnerabilities
- produce written technical reports to a professional standard, for clients
- research potential vulnerabilities
- research potential new security mechanisms or methods, and develop promising options
- formally brief clients and colleagues
Some organisations have a team of Security Testers, while others may have only one person dedicated to testing. If there are several Security Testers, and particularly in an organisation which provides penetration testing for other organisations, there will generally be two levels of responsibility.
A Security Testing practitioner:
- focuses on the practical aspects of delivering testing for clients
- may work either as an individual or as part of a team
A Security Testing senior practitioner will:
- have more responsibility, perhaps overseeing a team of testers if working for a large organisation, or being fully accountable for delivering all aspects of testing themselves
- provide consultation services to clients and other stakeholders
- provide advice on a broader range of cyber security issues
- remaining calm under pressure
- good communication skills, with the ability to explain technical issues in a non-technical way, verbally and in writing
- influencing internal stakeholders and clients, including those with very different levels of technical knowledge
- working to deadlines and prioritising work appropriately
- working independently and sometimes remotely while remaining part of a team
- willingness to learn and develop skills
- willingness to share knowledge with colleagues
- self-discipline to stay strictly within the project scope
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- using common vulnerability scanning and penetration testing tools, such as NMAP, NESSUS, SQLMAP and Burp Suite
- writing test plans
- producing test data
- secure code analysis
- internal and external penetration testing
- programming and scripting
- penetration testing simulations such as Hack the Box, Try Hack Me or other Capture the Flag websites
- web applications and networking
- application of the Data Protection Act 2018
For more experienced testers:
- adversary emulation
- researching emerging technologies
- applications, operating systems, database management and secure operations
- proficiency in cyber security frameworks, such as NIST SP 800-15
- implementing and auditing security measures, and incident management
- carrying out vulnerability scanning beyond the scope of standard tools
- exploit development.
- project management standards, methods and tools
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
D1 – Internal and Statutory Audit
- verifies that information systems and processes meet the security criteria (requirements or policy, standards and procedures)
- assesses the business benefits of security controls
D2 – Compliance Monitoring and Controls Testing
- defines and implements processes to verify on-going conformance to security and/or legal and regulatory requirements
- carries out security compliance checks in accordance with an appropriate methodology
- this Skill Group covers compliance checks and tests against technical, physical, procedural and personnel controls
D3 - Security Evaluation and Functionality Testing
- contributes to the security evaluation or testing of software
- evaluates security software by analysing the design documentation and code to identify potential vulnerabilities and testing to ascertain whether these are exploitable
- tests the security functionality of systems or applications for correctness in line with security policies, standards and procedures and advises on corrective measures
- applies recognised evaluation/testing methodologies, tools and techniques, developing new ones where appropriate
- assesses the robustness of a system, product or technology
- applies commonly accepted governance practices and standards when testing in an operational environment
D4 – Penetration Testing and conducting Simulated Attack Exercises
- contributes to the scoping and conduct of vulnerability assessments and tests for public domain vulnerabilities and assessment of the potential for exploitation, where appropriate by conducting exploits; reports potential issues and mitigation options
- contributes to the review and interpretation of reports; coordinates and manages Remediation Action Plan (RAP) responses
- this Skill Group covers, but is not limited to, penetration testing against networks and infrastructures, web applications, mobile devices and control systems
- this Skill Group also covers contributing to the conduct of testing and simulated attack exercises based on scenarios derived from threat intelligence, potential threat agents and their capabilities
- predicts and prioritises threats to an organisation and their methods of attack
- uses human factor analysis in the assessment of threats
- uses threat intelligence to develop attack trees
- prepares and disseminates intelligence reports providing threat indicators and warnings
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role in which you've shown the required technical aptitude and an ability to focus on a complex technical task could, with additional specialist training, provide a good foundation for moving into this specialism. Examples include:
- medical diagnostic specialisms
- engineering (mechanical, production, chemical, electrical, civil)
- some technical or physical security roles
- bug-hunting, including for bounty programmes
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Security Testing role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Understanding an attacker’s motivations and capabilities, and the technological and human elements that adversaries require to run a successful operation.
You might enter this specialism as an apprentice.
Alternatively, you may be able to demonstrate substantial experience as a freelance ethical hacker, particularly if you operate through a bug bounty programme or agency.
You may start as a graduate, with a degree in:
- cyber security or information security
- software engineering
- computer science
- a similar discipline
Or, you might transition in from another role in IT or cyber security specialism, such as:
From a role in Security Testing, you might move to a role in another cyber security specialism:
- Cyber Threat Intelligence
- Incident Response
- Digital Forensics
- Cyber Security Audit & Assurance
- Cyber Security Governance & Risk Management
Or, with experience, you might progress within this specialism to become a Security Testing Senior Practitioner.
The job titles for roles focused on Security Testing - whether for checking that a product complies with security requirements or for finding the vulnerabilities in a system or network - are not always specific. Some jobs which sound very general may largely be concerned with Security Testing.
- Cyber Security Consultant
- Cyber Penetration Test Specialist
- Ethical Hacker
- Information Security Specialist
- Penetration Tester
- Penetration Test Consultant
- Security Consultant
A Security Testing practitioner might earn between £40,000 and £65,000. The median figure in February 2021 was £68,000.
A senior Security Testing practitioner might earn between £50,000 and £85,000. The median figure in February 2021 was £80,000.
These figures are dominated by the salaries for jobs in the larger cities of the UK; salaries elsewhere may be lower.
The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.