CSTM/CSTL Secure Development Operations

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTM or CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

    • Understands common insecure programming practices, including:
      • Use of dangerous functions
      • Insufficient sanitisation of user-supplied data
      • Use of outdated third party components
      • Logic errors

 

  • Understands the role of automated security testing toolsas part of the development process, including:
    • Static analysis tools (SAST) • Dependency checking tools
    • Dynamic analysis tools (DAST)
  • Understands how automated tooling can safely and effectivelybe incorporated into the development pipeline.
  • Can identify and advise on common security misconfigurations of these tools.

  • Understands the role of tools to automate the building, configuration and deployment of infrastructure, including:
    • Terraform • Puppet • Ansible • Chef
  • Can identify and advise on common security misconfigurations of these tools.

  • Can identify and advise on issues relating to weakly protectedcode repositories, for example:
    • Openly exposed repositories containing closed source code
    • Weak or insufficiently protected credentials
  • Understands the security implications of storing sensitive informationin source code repositories, e.g. passwords, private cryptographic keys or API keys.