You have to pass the CT-STE exam to receive the certification from ISTQB. To increase the effectiveness of your study and make you familiar with the actual exam pattern, we have prepared this ISTQB Security Test Engineer sample questions. Our Sample ISTQB Certified Tester Security Test Engineer Practice Exam will give you more insight about both the type and the difficulty level of the questions on the ISTQB CT - Security Test Engineer exam.
However, we are strongly recommending practice with our Premium ISTQB Certified Tester - Security Test Engineer (CT-STE) Practice Exam to achieve the best score in your actual ISTQB CT-STE Exam. The premium practice exam questions are more comprehensive, exam oriented, scenario-based and exact match of ISTQB Certified Tester Security Test Engineer exam questions.
ISTQB Security Test Engineer Sample Questions:
01. In a CI/CD environment a new pipeline is being put together for the next project you are working on. Which one of the following would you recommend being the first triggered step as part of the pipeline?
a) SCA
b) SAST
c) DAST
d) IAST
02. Security Test reports should be handled with a high level of confidentiality. What type of data being part of most security test reports motivates this classification?
a) Name of the security tester, timeframe for test execution, test results (passed and failed test cases)
b) Used test environment, pre-set preconditions of the executed tests, used test data, procedure of test execution, detected behavior
c) List of tested CVE vulnerabilities, list of named developers, identified software development method, identified software development tools
d) Used security coding conventions, identified functional test coverage, applied vulnerability scans
03. How can security testing improve measurability within an ISMS?
a) Security tests can be used as objective analysis within the Check step of the PDCA cycle to measure effectiveness of a PDCA cycle.
b) All Security testing generates quantifiable insights into the security of a system that can be used to measure ISMS effectiveness.
c) The more security tests pass a test for a system under test, the better and more effective the ISMS is.
d) The effectiveness of an ISMS is better the more security testing techniques are used.
04. Which one of the following options describes Zero Trust?
a) All users are granted the level of access they need.
b) Only devices within the trusted network get access to systems.
c) Any device and user with access to the system is trusted by default.
d) Any user requires continuous verification of identity regardless of the user’s location.
05. You are responsible for the system’s security. Somebody in your team is interested in security testing and does a penetration test on your system, which includes OWASP Top-10 vulnerabilities. The corresponding test report consists only of succeeded and failed testcases covering these vulnerabilities.
Which reasoning on accepting or rejecting the test report is correct?
a) Accepting, as the penetration test was done by an internal colleague who knows the specific security style guides.
b) Rejecting, as your acceptance criteria for security were not communicated and are not considered in the test report. So it’s unclear if the corresponding test techniques were used and if the test results are relevant for your yearly security style guide conformance check.
c) Accepting, as OWASP is Best Practice and defines a general list of acceptance criteria.
d) Rejecting, because a security code style guide should be tested by white-box testing approaches, not by black-box dynamic pentests.
e) Accepting, as OWASP reflects your security code style guide.
06. Each attack is different. However, certain steps are common for almost every attack. These steps can be defined as:
a) Social engineering, followed by brute-force attack and at the end persisting/maintaining access
b) Exploitation/gaining access followed by social engineering to understand the results and at the end clearing tracks
c) Information gathering step, followed by exploitation/gaining access and at the end persisting/maintaining access.
d) Information gathering, followed by clearing tracks and at the end social engineering to have a better baselining
07. When you use test oracles for an application from standards and best practices, what do you have to consider?
a) Such test oracles are valid independent from any application parameters
b) Such test oracles can only be used as fuzzy hints for security testing
c) Such test oracles can not be used for security testing
d) The less specific an application and its context is, the more efficient is reusing such test
08. A new start-up enterprise in the banking industry has developed a new core system. The development team has focused on good usability and excellent performance so far. Before going live, the executive board wants to get an independent view about the level of security. They are asking you as security tester to do a black-box-pentest. The task is to test for the most critical vulnerabilities that could be exploitable for the new banking app.
If you want to fulfill this job, how can you leverage standards for your task?
a) You select relevant weaknesses within CWEs standard and execute listed test cases
b) You select relevant weaknesses within CWE, choose available exploits for selected CWEs and apply them
c) You select relevant weaknesses within CWE, you prioritize selected CWEs based on CWSS standard, and you select relevant CVEs covering prioritized CWE
d) You select relevant weaknesses within CWE, you prioritize selected CWEs based on CVSS standard and derivate individual test cases related the CVSS
e) For each selected CVE you derive test cases for the banking app and execute them
09. During component testing, which compiler warning would trigger the security tester most?
a) Those indicating security problems that must be fixed
b) Those indicating potential issues that should be investigated
c) Those indicating coding issues that will cause functional suitability defects
d) Those indicating poor programming practices that will increase maintainability
10. When using open-source software, which of the following is NOT a critical factor to consider when addressing security concerns?
a) Alignment with OWASP and active security audits by the contributors.
b) Frequency and availability of security patches and updates.
c) Your team’s ability to manage and customize the tool for your environment.
d) Licensing requirements and compliance with open-source security guidelines.
Answers:
|
Question: 01 Answer: a |
Question: 02 Answer: b |
Question: 03 Answer: a |
Question: 04 Answer: d |
Question: 05 Answer: b, d |
|
Question: 06 Answer: c |
Question: 07 Answer: d |
Question: 08 Answer: c, e |
Question: 09 Answer: b |
Question: 10 Answer: c |
If you find any errors or typos in ISTQB Certified Tester - Security Test Engineer (CT-STE) (CT-STE) sample question-answers or online ISTQB CT - Security Test Engineer practice exam, please report them to us on feedback@processexam.com