CSTM/CSTL Secure Development Operations

Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTM or CSTL exam.

You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.

  • Understands common insecure programming practices, including:
    • Use of dangerous functions
    • Insufficient sanitisation of user-supplied data
    • Use of outdated third party components
    •Logic errors
  • Understands the role of automated security testing toolsas part of the development process, including:
    • Static analysis tools (SAST) • Dependency checking tools
    • Dynamic analysis tools (DAST)
  • Understands how automated tooling can safely and effectivelybe incorporated into the development pipeline.
  • Can identify and advise on common security misconfigurations of these tools.
  • Understands the role of tools to automate the building, configuration and deployment of infrastructure, including:
    • Terraform • Puppet • Ansible • Chef
  • Can identify and advise on common security misconfigurations of these tools.
  • Can identify and advise on issues relating to weakly protectedcode repositories, for example:
    • Openly exposed repositories containing closed source code
    • Weak or insufficiently protected credentials
  • Understands the security implications of storing sensitive informationin source code repositories, e.g. passwords, private cryptographic keys or API keys.