Discover the Skills of A Security Testing and Evaluation Specialist
Learning Objectives
After completing this unit, you’ll be able to:
- Describe a security testing and evaluation (ST&E) specialist career.
- List key skills relevant to the role of an ST&E specialist.
A Security Testing and Evaluation Specialist Career
Let’s explore whether you’d be a good fit for the role of an ST&E specialist by starting with some questions.
Who are you?
Are you an analytical person who always makes sure to validate assumptions related to your work? Do you like to think about weaknesses in technology and how to improve them? Do you like to test and tinker with things to see if they break? If you answered yes to these questions, then ST&E may be a great fit for you.
What do you like to do?
Developers build systems to provide certain capabilities and functionality. Quality assurance specialists check to make sure the capabilities work as intended. ST&E specialists take this a step further, thinking about how they may be able to use systems in a way that the developers did not intend. It may be counter-intuitive, but ST&E specialists are looking for the cracks and weaknesses. When they find a vulnerability, they check to see if it could result in real damage. Then they help developers think about how to fix it.
ST&E specialists do this by planning and developing test strategies, executing the test, and reporting on the IT system’s vulnerabilities, the root causes of the vulnerabilities, and possible mitigations. To give you a closer look, let’s meet Josephine, an ST&E specialist at an accounting firm. On a daily basis, Josephine is involved in testing the firm’s tax systems to determine whether she can use them in a way other than what the developers intended, and thereby compromise the firm’s clients’ tax data. On a typical day, Josephine does the following things.
- Creates ST&E strategies to develop secure tax systems
- Develops ST&E plans for tax systems
- Documents IT system, operating system, communications protocol, service, and application information to review the operational security of the systems
- Identifies active network devices, ports, and communication paths that could be compromised by an attacker
- Conducts ST&E using appropriate analysis and review techniques, including threat modeling, penetration testing, and vulnerability analysis
- Verifies file integrity and encryption of communications
- Reviews system documentation, audit logs, rule sets, and configurations to validate security policy compliance
- Tests the effectiveness of user security awareness measurements, such as anti-phishing training
- Identifies and mitigates discovered vulnerabilities, such as weak passwords
- Verifies vulnerability remediation through IT system and network vulnerability scanning
- Makes recommendations on certification and accreditation processes
- Communicates test results to the project sponsor, developers, and other stakeholders
- Recommends mitigation strategies
- Influences retest decisions
- Assists the customer and project sponsor in making system acceptance decisions
What type of organization do you want to work for?
Many testing specialists work on teams that develop vendor systems. You can work for many industries, including government organizations, software companies, manufacturers, and more. Today a lot of systems are pushed through DevOps (development + operations) teams. On these teams, development, testing, and delivery are on a continuous loop using the agile, lean, or scrum frameworks. These frameworks use an iterative approach to software development that helps teams deliver value to their customers quickly, in small but consumable increments.
What are other common names for this role?
Other common names for this role include application security tester, system evaluator, and security test engineer, just to name a few.
ST&E Specialist Skills
Like Josephine, you’re excited about helping organizations think through how attackers could abuse their systems, and how to mitigate these threats early in the development cycle. So, what education and skills do you need to pursue this career?
Education
It’s possible to find certain entry-level cybersecurity positions that require applicants to have a course of post-secondary study lasting 2 or 3 years. However, most jobs require a 4-year bachelor's degree in computer science or IT security.
Experience
Typically, employers look for candidates with anywhere from 2 to 5 years of experience in development or testing, and training in information assurance.
Certifications
To help you skill up and get your foot in the door, pursuing a certification is a great idea. Here are some common certifications for ST&E specialists (note that some of these are broader security training while others are more specialized).
- The National Institute of Standards and Technology (NIST) Cybersecurity Professional 800-171 Specialist
- NIST Cybersecurity Professional 800-53 Specialist
- The Computing Technology Industry Association (CompTIA) Security+ Certification
- CompTIA Cybersecurity Analyst (CySA+) Certification
- CompTIA PenTest+ Certification
- CompTIA Advanced Security Practitioner (CASP+) Certification
- Offensive Security PEN-200
Knowledge
As an ST&E specialist, having a solid understanding of the basics—such as testing methods, industry standards, and test tools—is key. You should have strong familiarity with risk management processes, change management, and information assurance. It’s also helpful to have knowledge of the security assessment and authorization process, data analytic techniques, and computer networking concepts. Additional areas of expertise that are helpful include knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity, familiarity with threat modeling and vulnerability analysis, and an understanding of cybersecurity architectures.
Business Skills
In addition to these technical skills, it’s also critical to sharpen your business skills. A huge part of being successful as an ST&E specialist is having strong writing, attention to detail, and problem solving skills. You should know how to teach others about best practices in security, as well as demonstrate exemplary management and budgeting skills.
Sum It Up
In this module, you’ve been introduced to the goals of ST&E. You’ve learned more about the importance of ST&E in preventing the misuse of systems by malicious actors. You’ve also discovered the duties, skills, and qualifications of an ST&E specialist.
In the next module, ST&E Specialist Responsibilities, you learn how to plan, develop, and execute the ST&E strategy and how to report on the security of the system to relevant stakeholders. Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Learning Hub on Trailhead.
