Software Security Testing Learning Path
10 hours, 37 minutes
Quick facts
About this learning path
-
courses
100% online
-
Duration
10 hours, 37 minutes
-
Assessment
questions
About Software Security Testing
This learning path teaches you the necessary security testing skills to conduct professional security assessments in various approaches. As you progress through the course, you will learn the core tenets of software security, build up your own personal security testing lab environment, identify and exploit vulnerabilities, break contemporary security systems, utilize world-famous tools and approaches and confidently communicate findings to all stakeholders. Upon completion, you will have the foundational knowledge and skills to carry out multiple types of security assessments, including penetration testing, security auditing and code analysis.
Syllabus
Software Security Testing Skill Assessment
Assessment - 88 questions
Introduction to Software Security Testing
Course - 00:22:00
Installing Kali Linux as a virtual machine is an easy process. This guide will cover the basic installation. First, you will need compatible computer hardware. Kali Linux is supported on amd64 (x86_64/64-Bit) and i386 (x86/32-bit) platforms. The hardware requirements are minimal and are listed on the official Kali website in the system requirements section.
Important software security testing terminology
Course - 00:22:00
Like any other profession, it is vitally important to learn and adopt critical terminology and vocabulary. There are numerous terminologies that cybersecurity experts use daily. This course will highlight some essential concepts that you need to know in software security testing. The one who knows them well should not fear any circumstances; whoever doesn't know them will procrastinate on the path of becoming a cybersecurity professional.
Methodologies and standards
Course - 00:15:00
In this course, we will explore essential testing methodologies and standards that software security testers use regularly. It will help identify a suitable methodology that fits the context and environment where you operate.
Software testing as a process
Course - 00:30:00
Software security testing is very hands-on! The more tests you perform, the better you get. Continuous learning and improvement are essential to staying relevant. Software security testing is similar to chess: easy to learn and be productive at but hard to master. As much as hacking is methodical and precise, it is also creative and fun. In this course, we will explore software testing as a process.
The HTTP protocol
Course - 00:46:00
HTTP (HyperText Transfer Protocol) is the underlying protocol of the web. Tim Berners-Lee and his team developed it between 1989-1991. HTTP has seen many changes, maintaining most of the simplicity and further shaping its flexibility. This course will explore the foundations of the HTTP protocol and the importance to software security. We will learn about the hypertext system over the internet that initially was called the mesh and was later renamed to the world wide web.
Introduction to encoding
Course - 00:17:00
Encoding is the process of converting data from one form to another. While "encoding" can be used as a verb, it is often used as a noun and refers to a specific type of encoded data. Encoding should not be confused with encryption, which hides content. Both techniques are used extensively in the networking, software programming, wireless communication and storage fields. In this course, we will learn how to identify different encoding algorithms and decode them.
Information gathering
Course - 01:23:00
This course will explore information gathering as one of the most critical processes in software security testing. There are two types of methods used during information gathering: active and passive reconnaissance. Active reconnaissance methods interact directly with the target to assess the technologies used and map the network. Passive methods gather data from sources not related to the target and do not interact with it. In this course, you will learn the main differences and how to use both techniques to your advantage.
Configuration and management testing
Course - 00:21:00
The intrinsic complexity of interconnected and heterogeneous server infrastructure, including hundreds of applications, makes configuration management and reviews a fundamental step in testing and deploying every single application. In this course, we will learn about configuration and management testing. It takes only a single vulnerability to undermine the entire infrastructure's security, and even small and seemingly unimportant problems may evolve into severe risks for another application on the same server. To address these problems, it is of utmost importance to perform an in-depth review of the configuration and known security issues after mapping the entire architecture.
Identity management testing
Course - 00:15:00
Identity and access management (IAM) in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. This course will explore identity and access management as one of the most critical provisions for IT departments. We will examine identity and management technologies that incorporate password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps, identity repositories and more.
Authentication testing
Course - 00:13:00
Authentication can generally be defined as the act of confirming the identity of a resource — in this case, the consumer of an API. Once a user has been authenticated, they are usually authorized to access desired resources/APIs. In this course, we will learn about authentication and various vulnerabilities in the implementation.
Authorization testing
Course - 00:22:00
Authorization is the idea of allowing access to resources only to those authorized to use them. Testing for authorization means understanding how the authorization process works and using that information to circumvent the authorization mechanism. Authorization is a process that results after successful authentication, so the tester will verify this point after he/she holds valid credentials associated with a well-defined set of roles and privileges. In this course, we will learn about authorization and various vulnerabilities in the implementation.
Session management testing
Course - 00:29:00
One of the core components of any application is the mechanism by which it controls and maintains the state for a user interacting. To avoid continuous authentication for each page of a website or service, applications implement various mechanisms to store and validate credentials for a predetermined timespan. These mechanisms are known as session management. In this course, we will explore some of the misconfigurations and vulnerabilities in session management.
Input validation testing
Course - 00:40:00
Input validation, also known as data validation, is the proper testing of any input supplied by a user or application. In this course, we will explore data validation vulnerabilities and mitigation. Input validation prevents improperly formed data from entering an information system.
Error handling
Course - 00:13:00
Improper handling of errors can inject a variety of security problems for a website. The most common problem is when specific internal error messages such as stack traces, database dumps and error codes are exposed to the user (attacker). These messages expose implementation details that should never be revealed. In this course, we will explore error handling vulnerabilities and mitigation.
Cryptography
Course - 00:15:00
Cryptography is the science of secret writing to hide the meaning of a message. Cryptanalysis is the science and sometimes art of breaking cryptosystems. It appears to be closely linked to modern electronic communication. Nonetheless, early cryptography examples date back to about 2000 B.C, when non-standard “secret” hieroglyphics were used in ancient Egypt. This course will teach you about cryptography and weak cryptographic algorithms that should be avoided while developing software.
Business logic testing
Course - 00:14:00
Testing for business logic flaws in a multi-functional dynamic application requires thinking in unconventional ways. While there are tools for testing and verifying that business processes are functioning correctly, they are incapable of detecting logical vulnerabilities. This course will teach about the importance of business logic testing while helping you to think creatively.
Client-side testing
Course - 00:33:00
Client-side testing refers to any type of testing that occurs in the user's browser. This course will explore testing mechanisms for client-side vulnerabilities and ways to mitigate and reduce impact. Client-side vulnerabilities are created from poor coding techniques and failure to sanitize user input that allow attackers to inject malicious payloads into the website's HTML code and modify its content. Based on the vulnerability, an attacker can change a few code lines, add entire forms that can then be used to trick users into providing sensitive information or change the website's complete layout.
Client-side testing reports
Course - 00:40:00
Software security testing project
Course - 02:19:00
The following challenges describe a scenario that leads to full target compromise due to the use of insecure practices. Each challenge depends on the result of the previous one; hence, you should go through everything in the order specified in the challenges document.
The details
Learning path insights
How to claim CPEs
Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.
Associated NICE Work Roles
All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.
- All-Source Analyst
- Mission Assessment Specialist
- Exploitation Analyst
No software. No set up. Unlimited access.
Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.
Unlock 7 days of free training
- 1,400+ hands-on courses and labs
- Certification practice exams
- Skill assessments
Plans & pricing
Infosec Skills Personal
$299 / year
- 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Custom certification practice exams (e.g., CISSP, Security+)
- Skill assessments
- Infosec peer community support
Infosec Skills Teams
$799 per license / year
- Team administration and reporting
- Dedicated client success manager
-
Single sign-on (SSO)
Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
-
Integrations via API
Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
- 190+ role-guided learning paths and assessments (e.g., Incident Response)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Create and assign custom learning paths
- Custom certification practice exams (e.g., CISSP, CISA)
- Optional upgrade: Guarantee team certification with live boot camps
Learn about scholarships and financing with
