Looking to move towards Security Testing

Hello All,

I am an Automation Test Engineer from the UK. I have an ISTQB Foudation Certification. I would like to learn more about Security Testing. Apart from ISTQB Advance Security Tester Certification, is there any other certification or courses there including Cyber Security? Kindly advice

Thanks,
Krithi

2 Likes

Hi @kirthig

Welcome to MoT! Security is a very broad spectrum so what kind of security are you looking into?
ISTQB Security is defo not going to cut it.

If you want to start out in security you can do online test labs to practice skills such as:

They got learning paths to develop your skills and are a very good beginning.
After you’ve done those you can probably move towards HackTheBox

OWASP is a great source of information about security also. Mobile, API, WEB you name it.

If you wish to practice your skills on real life targets, there is this thing called " Bug Bounty "
Online platforms where you can hack real companies and if you’ve found a vulnerability, you’ll get paid for it. Some examples:

Make sure to read the in and out of scope! :slight_smile:


Certifications in IT Security are kind of “meh” depending on the certification.
You have the EC-Council certifications but people often laugh at it “CEH” → Certified Ethical Hacker"

People tend to name themselves “Uncertified Ethical Hacker” as a joke towards CEH, because it doesn’t really add any value.

What does add value if you are looking to work as a pentester is OSCP and some others from OFFSEC:

These are super hard 24-48 hour exams. But they are really good!

If you now tell me you want to do security testing on hardware then I wrote all of this for nothing :joy: Nah but I don’t do anything hardware related myself so I can’t really give advise on this.
Neither social engineering etc.

I would defo start following some cyber security experts on twitter, mostly bug bounty hunters because they often write write-ups of their hacks and those are such good learning materials.
Same for disclosed reports on: HackerOne


Disclaimer: If you are going to spend only a few hours a week on this, I can already tell you, you’re not going to make it. It’s a lot of content and continuously evolving. It’s not something that you can follow a training and done. Since there are always new frameworks and technology, new patches and fixes for vulnerabilities, you’re going to have to spend X amount of time to stay up to date with the new content, which can be very overwhelming. I’m not trying to discourage you here but this is just the reality. I’ve been into security since I was 15y old and I still don’t know everything, even though I spend a huge time of my free-time reading articles, write ups, doing online boxes/labs etc.

So if you are looking for an end point, there isn’t one! :smiley:

Hope it helps you a bit.
Always happy to discuss it further, if you have more in-depth questions.

7 Likes

@kristof
Thank you so much for the detailed resource references and also your experience in security testing.
I was looking for some way to start in this area. As you mentioned spending some time on this will not help me. I want to build my knowledge and profile strong in security testing so that i could be moved to a place where i can work on those and build my career. There are tons of material available but was looking for a course or certification that would help my profile to stand out or to be precise picked by the companies that need a cyber security tester.
With my research, i could find a few courses/certifications like CEH, CompTIA Security+,CISSP and there are loads more.
I was very confused about where to start, But thanks to your material, I will start with those

Thanks,
Kiruthiga

1 Like

Hello Kiruthiga,

Hope you’re doing well.

I just transitioned into a Security Testing Team.

Here is what I have learnt so far

Burp Suite from Port Swigger Academy which is free
OWASP guidelines
Did my CEH Certification which is basic and most testers would do
Did Dan Billings course for Security Testing on MOT Site.

Following Related people in this area .

Learning Python as it will help me in source code analysis.

I have not planned for oscp, cissp, or any certification so soon because I want to understand things first and then move further.

Once I figure something better I will put it up here.

1 Like

Hello Mahathee,

Thank you so much for sharing your experience.
I just came across the Google Cybersecurity Professional Certificate course from Coursera,
On completing this course, it also provides some discount voucher for Compt Security + certification ( at least that’s what it says)
What do you think about this?

1 Like

I dont have much idea on this but looking to hear from you how your experience has been.

If you’re interested in security testing, there are several certifications and blogs that can help you enhance your knowledge and skills in this field.

  1. Certified Information Systems Security Professional (CISSP): Offered by (ISC)², CISSP is a globally recognized certification that covers various domains of information security, including security testing.
  2. Certified Ethical Hacker (CEH): Provided by EC-Council, CEH focuses on ethical hacking techniques, including security testing, to identify vulnerabilities and secure systems.
  3. Offensive Security Certified Professional (OSCP): Offered by Offensive Security, OSCP is a highly regarded certification that emphasizes hands-on penetration testing and security assessments.

Blogs and Resources:

1. OWASP (Open Web Application Security Project): OWASP is a non-profit organization that provides a wealth of resources, including articles, guides, and tools, related to web application security testing. Their website (https://owasp.org/) is a great starting point.
2. PortSwigger Web Security Blog: Run by the creators of Burp Suite, a popular web application security testing tool, this blog (Web Security Blog - PortSwigger) offers insights, tutorials, and real-world examples of web security vulnerabilities and testing techniques.
3. SANS Institute Reading Room: The SANS Institute provides a vast collection of whitepapers, presentations, and research papers on various security topics, including testing and assessments. You can access their Reading Room at Cyber Security White Papers | SANS Institute.
4. Testrig Technologies Blog: Testrig Technologies’ blog (https://www.testrigtechnologies.com/blog/) offers a wide range of articles and resources related to software testing, including security testing. They cover various topics such as penetration testing, vulnerability assessment, secure coding practices, and more.

Just an FYI: they changed it to “Open Worldwide Application Security Project”

1 Like