Security Engineering & Operations Topics
Operational security practices, secure systems implementation, threat modeling, penetration testing, vulnerability assessment, and security operations at production scale. Covers network security, endpoint security, secure architecture implementation, incident response mechanics, and security automation. Distinct from Security & Compliance (which addresses governance, compliance frameworks, and policy) and from Security Research & Innovation (which addresses novel techniques and research contributions).
Security Testing and Vulnerability Analysis
Practical techniques for finding vulnerabilities through testing and code inspection. Topics include static application security testing through source and binary analysis, dynamic application security testing via runtime and black box approaches, interactive testing, fuzzing, manual code review for logic and access control flaws, penetration testing methodologies, exploit proof of concept development, vulnerability triage and prioritization, and recommending and validating remediation. Candidates should demonstrate the ability to analyze code samples, design test plans, and explain how testing results map to fixes and risk reduction.
Security Testing Fundamentals
Fundamental practices for identifying and mitigating security vulnerabilities in software. Candidates should understand common failure modes described by the Open Web Application Security Project Top Ten and related risks such as injection attacks including structured query language injection, cross site scripting, broken authentication and authorization, insecure direct object references, and security misconfiguration. Coverage includes secure coding patterns such as input validation, output encoding, parameterized queries, secure session handling, least privilege, and secret management. Testing approaches include manual exploratory security testing, threat modeling, dynamic security scanning, static analysis, dependency and composition analysis, fuzz testing, and targeted penetration testing. Candidates should also be able to explain how to integrate security checks into automated test suites and continuous integration pipelines and how to prioritize security fixes by impact and exploitability.