Cyber Scheme Team Leader (CSTL) Web Application
Assessment Structure
Cyber Scheme cannot award CHECK status, but do award Certificates recognised by NCSC as confirmation that the necessary technical standard for CHECK has been met.
The assessment is structured to simulate a real-world penetration test. It comprises three phases.
Scoping – 15 minutes
All candidates will share a common scoping briefing. Following the common scoping briefing, individually candidates will have up to 10 minutes to ask questions concerning the scope of the penetration test. During your individual scoping session, the Assessor will play the role of the commissioning client. Your performance during the individual scoping session will form part of the assessment.
Practical Penetration Test – 4 hours
The candidate’s laptop will be connected to the assessment infrastructure, from which you will perform the practical penetration test, as defined in the scoping session. Connectivity will end after 4 hours. During the final 30 minutes candidates will be advised to prepare for the interviews which follow, specifically in producing a site map.
(Break – 15 minutes)
There will be a 15 minute lunch break during the practical penetration test. During this time candidates will not be permitted to use their computers. This 15 minute break will not contribute towards the 4 hours of the practical assessment. You may take additional breaks for refreshments within the practical test, but no additional time will be allowed for any additional breaks that are taken.
Interview – 30 minutes
During the interview you will be required to produce a site map on a white board or flip chart. The site map must detail the application’s pages and API functionality, but it does not need to include static assets, such as media or script. The interview is an assessed component of the examination; care should be taken to ensure that the site map reflects your full understanding of the assessment application.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor may ask you to explain any aspect of the process that you followed during the practical test.
Assessment Outcome
Under normal circumstances, you will be notified of success or failure within one working week by Cyber Scheme.
Assessment requirements
In order to pass the test, you must demonstrate all of the following:
- appropriate interaction with the commissioning client,
- knowledge of the process of conducting a penetration test including legal and ethical issues,
- core capability to identify and exploit OWASP top 10 vulnerabilities, especially with regard to:
- injection vulnerabilities e.g. SQL injection,
- cross-site scripting (XSS) vulnerabilities,
- privilege escalation vulnerabilities,
- information disclosure vulnerabilities,
- core capability to produce an accurate site map.
The Cyber Scheme believe everyone should have access to a career in security testing. We are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
There may be background noise during an assessment. Please bring (or ask for) ear plugs / ear defenders or listen to music if background noise is likely to affect your concentration.
Mobility
Access to all of our facilities is suitable for people with mobility issues. Should any other special facilities be required please get in touch at time of booking. For some reasonable adjustments, such as access to a disabled parking space, we will need to see supporting documentation around the condition to allow us to apply for this access for you. No information will be retained or stored once the request is validated.
