Skill-Profil

Security Testing

OWASP ZAP, Burp Suite, penetration testing, DAST pipelines, SAST integration

Testing & QA Specialized Testing

Rollen

wo dieser Skill vorkommt

Stufen

strukturierter Entwicklungspfad

Pflichtanforderungen

die anderen 8 optional

Domäne

Testing & QA

skills.group

Specialized Testing

Zuletzt aktualisiert

17.3.2026

Verwendung

Wählen Sie Ihr aktuelles Level und vergleichen Sie die Erwartungen.

Was wird auf jedem Level erwartet

Die Tabelle zeigt, wie die Tiefe von Junior bis Principal wächst.

Rolle	Pflicht	Beschreibung
Application Security Engineer		Understands security testing fundamentals: OWASP Top 10 vulnerabilities, basic SAST/DAST tool usage (SonarQube, OWASP ZAP), and security test case design. Runs automated security scans and reports findings. Follows team guidelines for secure coding verification and vulnerability triage.
DevSecOps Engineer		Understands security testing in CI/CD context: integrating SAST/DAST scanners into pipelines, container image vulnerability scanning, and dependency security checks. Configures automated security gates in build processes. Follows team practices for security tool configuration and alert management.
Penetration Testing Engineer		Understands penetration testing fundamentals: reconnaissance techniques, common web application vulnerabilities, and basic exploitation tools (Burp Suite, Metasploit). Conducts guided vulnerability assessments following established methodologies. Reports findings with clear reproduction steps and risk ratings.
QA Automation Engineer	Pflicht	Understands security testing basics for QA: OWASP testing guidelines, basic security assertions in automated tests (XSS, SQL injection checks), and security test data management. Integrates basic security checks into existing test frameworks. Follows team practices for security regression testing.
QA Engineer (Manual)	Pflicht	Understands security testing fundamentals from QA perspective: manual security test case design, authentication/authorization flow testing, and input validation verification. Executes security-focused exploratory testing sessions. Follows team guidelines for security defect reporting and classification.
QA Security Engineer	Pflicht	Understands security QA fundamentals: security test planning, OWASP testing methodology, and security-focused test case design. Executes security test suites covering authentication, authorization, input validation, and data protection. Uses basic security testing tools (OWASP ZAP, Burp Suite Community). Follows team practices for security defect lifecycle management.
Security Analyst		Understands security testing from an analytical perspective: vulnerability assessment reports interpretation, security scan result analysis, and risk rating methodologies (CVSS). Monitors security scanning dashboards and tracks remediation progress. Follows team practices for vulnerability management workflows.

Rolle	Pflicht	Beschreibung
Application Security Engineer		Independently conducts application security testing: custom SAST rule creation, DAST scan configuration for complex applications, and interactive security testing (IAST). Performs manual code review for security-critical components. Creates security test automation for CI/CD pipelines. Covers edge cases in authentication, authorization, and data validation.
DevSecOps Engineer		Introduces security testing in CI/CD: SAST with Semgrep, dependency scanning with Snyk, secret detection with GitLeaks. Conducts manual security testing with Burp Suite for web applications. Writes security test cases for critical functions: authentication, authorization, payment processing.
Penetration Testing Engineer		Independently conducts penetration tests: web application exploitation (SQLi, XSS, SSRF, deserialization), API security testing, and infrastructure vulnerability assessment. Uses advanced Burp Suite techniques (custom extensions, intruder patterns). Creates proof-of-concept exploits and detailed technical reports with remediation guidance.
QA Automation Engineer	Pflicht	Implements security test automation: integrates OWASP ZAP into CI/CD for automated DAST, creates security regression test suites, and implements API security testing (authentication bypass, injection, rate limiting). Develops custom security test scripts for domain-specific vulnerabilities. Covers edge cases in security control validation.
QA Engineer (Manual)	Pflicht	Independently conducts manual security testing: exploratory security testing sessions, authentication/authorization bypass attempts, and input validation boundary testing. Creates comprehensive security test plans covering OWASP guidelines. Collaborates with pentest team on vulnerability verification. Implements security-focused test design techniques.
QA Security Engineer	Pflicht	Conducts security testing: OWASP Top 10 verification, vulnerability scanning (ZAP/Burp), dependency checking (Snyk). Documents findings with reproducible steps.
Security Analyst		Independently analyzes security testing results: correlates vulnerability scan findings across tools, assesses risk impact for business-critical applications, and tracks remediation SLA compliance. Creates vulnerability management reports and trend analysis. Conducts threat modeling sessions to prioritize security testing efforts.

Rolle	Pflicht	Beschreibung
Application Security Engineer	Pflicht	Designs security testing strategy for applications: custom SAST/DAST pipeline architecture, threat model-driven test planning, and security chaos engineering. Implements advanced testing techniques: mutation-based fuzzing, semantic code analysis, and API specification-driven security testing. Creates security testing frameworks and reusable test libraries. Mentors team on security testing methodologies.
DevSecOps Engineer	Pflicht	Develops security testing strategy for all SDLC stages. Introduces fuzz testing (AFL, libFuzzer) for memory corruption vulnerability detection. Configures IAST for runtime analysis in staging. Creates automated API penetration testing framework with Nuclei and custom templates.
Penetration Testing Engineer	Pflicht	Designs comprehensive penetration testing programs: red team operations, advanced exploit development, and security assessment frameworks. Implements automated vulnerability discovery pipelines. Conducts advanced attacks: cloud infrastructure exploitation, container escape, and supply chain attack simulation. Creates pentest tooling and custom exploit frameworks. Mentors team on advanced offensive security techniques.
QA Automation Engineer	Pflicht	Designs security testing architecture for the product: automated security test pyramid (SAST/DAST/IAST), security regression framework, and vulnerability detection pipelines. Implements contract-based API security testing and fuzz testing for input validation. Creates security testing COE practices. Optimizes security test execution for fast CI/CD feedback. Mentors team on security test automation.
QA Engineer (Manual)	Pflicht	Designs security testing strategy for QA: security test planning aligned with threat models, exploratory security testing frameworks, and security regression test management. Implements security testing metrics and quality dashboards. Creates security testing training materials for QA team. Mentors team on security-focused test design and risk-based testing.
QA Security Engineer	Pflicht	Designs security testing program: risk-based testing strategy, automated vulnerability scanning pipeline, manual penetration testing scope. Integrates with bug bounty.
Security Analyst	Pflicht	Designs security analytics for vulnerability management: automated vulnerability correlation across scanning tools, risk-based prioritization models, and executive reporting dashboards. Implements continuous security monitoring for application portfolio. Conducts organizational threat modeling and risk assessments. Mentors team on advanced security analysis techniques.

Rolle	Pflicht	Beschreibung
Application Security Engineer	Pflicht	Defines security testing strategy across the organization. Establishes SAST/DAST/IAST standards, security testing quality gates, and DevSecOps practices. Drives adoption of shift-left security testing culture. Creates security testing COE and trains security champions across engineering teams.
DevSecOps Engineer	Pflicht	Defines security testing program for the organization. Manages internal penetration testing team and coordinates external audits. Builds metrics: coverage, vulnerability density, escape rate. Introduces chaos engineering for security (GameDay). Integrates security testing into Definition of Done.
Penetration Testing Engineer	Pflicht	Defines penetration testing strategy for the organization. Establishes pentest methodologies, scope guidelines, and reporting standards. Coordinates red team operations and purple team exercises. Creates attack simulation frameworks for continuous security validation. Trains pentest team on emerging attack vectors.
QA Automation Engineer	Pflicht	Defines security testing strategy at the product level. Establishes automated security testing standards, quality gates, and DevSecOps integration requirements. Drives adoption of security testing as part of every team's CI/CD pipeline. Creates security testing infrastructure and tooling standards across the organization.
QA Engineer (Manual)	Pflicht	Defines Security Testing strategy at the team/product level. Establishes security testing standards and best practices. Conducts reviews and coordinates penetration testing.
QA Security Engineer	Pflicht	Defines security testing standards: testing methodology, tool selection, reporting requirements. Coordinates security testing across the development lifecycle.
Security Analyst	Pflicht	Defines security analysis and vulnerability management strategy. Establishes vulnerability scanning policies, risk assessment frameworks, and remediation SLA requirements. Coordinates threat intelligence integration for security testing prioritization. Creates security analytics capabilities for organization-wide vulnerability visibility.

Rolle	Pflicht	Beschreibung
Application Security Engineer	Pflicht	Defines the organization's QA strategy. Shapes quality engineering culture. Implements platform testing solutions.
DevSecOps Engineer	Pflicht	Designs corporate security testing framework unifying SAST, DAST, IAST, SCA, fuzzing and pentest into a single program. Defines AI-assisted security testing strategy. Develops security testing maturity model. Manages relationships with external security researchers.
Penetration Testing Engineer	Pflicht	Defines enterprise offensive security strategy. Shapes organizational red team capabilities and continuous security validation programs. Drives adoption of adversary simulation and breach-and-attack simulation (BAS) platforms. Coordinates with industry on emerging threats and offensive security research. Represents the organization in security conferences and standards bodies.
QA Automation Engineer	Pflicht	Defines organizational security testing strategy as part of overall quality engineering. Builds security-aware testing culture across all development teams. Implements platform solutions for automated security validation at scale. Drives adoption of AI-assisted security testing and continuous security assurance practices.
QA Engineer (Manual)	Pflicht	Defines organizational QA strategy. Fosters quality engineering culture. Implements platform solutions for testing.
QA Security Engineer	Pflicht	Designs organizational security testing strategy: continuous security assurance, automated compliance verification, security testing center of excellence.
Security Analyst	Pflicht	Defines enterprise security monitoring and vulnerability management strategy. Shapes organizational security analytics capabilities and risk management frameworks. Drives adoption of advanced threat detection and automated security assessment at scale. Coordinates compliance requirements and industry standards for security testing practices.

Junior 7 Anforderungen

Application Security Engineer

Understands security testing fundamentals: OWASP Top 10 vulnerabilities, basic SAST/DAST tool usage (SonarQube, OWASP ZAP), and security test case design. Runs automated security scans and reports findings. Follows team guidelines for secure coding verification and vulnerability triage.
DevSecOps Engineer

Understands security testing in CI/CD context: integrating SAST/DAST scanners into pipelines, container image vulnerability scanning, and dependency security checks. Configures automated security gates in build processes. Follows team practices for security tool configuration and alert management.
Penetration Testing Engineer

Understands penetration testing fundamentals: reconnaissance techniques, common web application vulnerabilities, and basic exploitation tools (Burp Suite, Metasploit). Conducts guided vulnerability assessments following established methodologies. Reports findings with clear reproduction steps and risk ratings.

QA Automation Engineer
Pflicht

Understands security testing basics for QA: OWASP testing guidelines, basic security assertions in automated tests (XSS, SQL injection checks), and security test data management. Integrates basic security checks into existing test frameworks. Follows team practices for security regression testing.
QA Engineer (Manual)
Pflicht

Understands security testing fundamentals from QA perspective: manual security test case design, authentication/authorization flow testing, and input validation verification. Executes security-focused exploratory testing sessions. Follows team guidelines for security defect reporting and classification.
QA Security Engineer
Pflicht

Understands security QA fundamentals: security test planning, OWASP testing methodology, and security-focused test case design. Executes security test suites covering authentication, authorization, input validation, and data protection. Uses basic security testing tools (OWASP ZAP, Burp Suite Community). Follows team practices for security defect lifecycle management.
Security Analyst

Understands security testing from an analytical perspective: vulnerability assessment reports interpretation, security scan result analysis, and risk rating methodologies (CVSS). Monitors security scanning dashboards and tracks remediation progress. Follows team practices for vulnerability management workflows.

Middle 7 Anforderungen

Application Security Engineer

Independently conducts application security testing: custom SAST rule creation, DAST scan configuration for complex applications, and interactive security testing (IAST). Performs manual code review for security-critical components. Creates security test automation for CI/CD pipelines. Covers edge cases in authentication, authorization, and data validation.
DevSecOps Engineer

Introduces security testing in CI/CD: SAST with Semgrep, dependency scanning with Snyk, secret detection with GitLeaks. Conducts manual security testing with Burp Suite for web applications. Writes security test cases for critical functions: authentication, authorization, payment processing.
Penetration Testing Engineer

Independently conducts penetration tests: web application exploitation (SQLi, XSS, SSRF, deserialization), API security testing, and infrastructure vulnerability assessment. Uses advanced Burp Suite techniques (custom extensions, intruder patterns). Creates proof-of-concept exploits and detailed technical reports with remediation guidance.

QA Automation Engineer
Pflicht

Implements security test automation: integrates OWASP ZAP into CI/CD for automated DAST, creates security regression test suites, and implements API security testing (authentication bypass, injection, rate limiting). Develops custom security test scripts for domain-specific vulnerabilities. Covers edge cases in security control validation.
QA Engineer (Manual)
Pflicht

Independently conducts manual security testing: exploratory security testing sessions, authentication/authorization bypass attempts, and input validation boundary testing. Creates comprehensive security test plans covering OWASP guidelines. Collaborates with pentest team on vulnerability verification. Implements security-focused test design techniques.
QA Security Engineer
Pflicht

Conducts security testing: OWASP Top 10 verification, vulnerability scanning (ZAP/Burp), dependency checking (Snyk). Documents findings with reproducible steps.
Security Analyst

Independently analyzes security testing results: correlates vulnerability scan findings across tools, assesses risk impact for business-critical applications, and tracks remediation SLA compliance. Creates vulnerability management reports and trend analysis. Conducts threat modeling sessions to prioritize security testing efforts.

Senior 7 Anforderungen

Application Security Engineer
Pflicht

Designs security testing strategy for applications: custom SAST/DAST pipeline architecture, threat model-driven test planning, and security chaos engineering. Implements advanced testing techniques: mutation-based fuzzing, semantic code analysis, and API specification-driven security testing. Creates security testing frameworks and reusable test libraries. Mentors team on security testing methodologies.
DevSecOps Engineer
Pflicht

Develops security testing strategy for all SDLC stages. Introduces fuzz testing (AFL, libFuzzer) for memory corruption vulnerability detection. Configures IAST for runtime analysis in staging. Creates automated API penetration testing framework with Nuclei and custom templates.
Penetration Testing Engineer
Pflicht

Designs comprehensive penetration testing programs: red team operations, advanced exploit development, and security assessment frameworks. Implements automated vulnerability discovery pipelines. Conducts advanced attacks: cloud infrastructure exploitation, container escape, and supply chain attack simulation. Creates pentest tooling and custom exploit frameworks. Mentors team on advanced offensive security techniques.

QA Automation Engineer
Pflicht

Designs security testing architecture for the product: automated security test pyramid (SAST/DAST/IAST), security regression framework, and vulnerability detection pipelines. Implements contract-based API security testing and fuzz testing for input validation. Creates security testing COE practices. Optimizes security test execution for fast CI/CD feedback. Mentors team on security test automation.
QA Engineer (Manual)
Pflicht

Designs security testing strategy for QA: security test planning aligned with threat models, exploratory security testing frameworks, and security regression test management. Implements security testing metrics and quality dashboards. Creates security testing training materials for QA team. Mentors team on security-focused test design and risk-based testing.
QA Security Engineer
Pflicht

Designs security testing program: risk-based testing strategy, automated vulnerability scanning pipeline, manual penetration testing scope. Integrates with bug bounty.
Security Analyst
Pflicht

Designs security analytics for vulnerability management: automated vulnerability correlation across scanning tools, risk-based prioritization models, and executive reporting dashboards. Implements continuous security monitoring for application portfolio. Conducts organizational threat modeling and risk assessments. Mentors team on advanced security analysis techniques.

Lead / Staff 7 Anforderungen

Application Security Engineer
Pflicht

Defines security testing strategy across the organization. Establishes SAST/DAST/IAST standards, security testing quality gates, and DevSecOps practices. Drives adoption of shift-left security testing culture. Creates security testing COE and trains security champions across engineering teams.
DevSecOps Engineer
Pflicht

Defines security testing program for the organization. Manages internal penetration testing team and coordinates external audits. Builds metrics: coverage, vulnerability density, escape rate. Introduces chaos engineering for security (GameDay). Integrates security testing into Definition of Done.
Penetration Testing Engineer
Pflicht

Defines penetration testing strategy for the organization. Establishes pentest methodologies, scope guidelines, and reporting standards. Coordinates red team operations and purple team exercises. Creates attack simulation frameworks for continuous security validation. Trains pentest team on emerging attack vectors.

QA Automation Engineer
Pflicht

Defines security testing strategy at the product level. Establishes automated security testing standards, quality gates, and DevSecOps integration requirements. Drives adoption of security testing as part of every team's CI/CD pipeline. Creates security testing infrastructure and tooling standards across the organization.
QA Engineer (Manual)
Pflicht

Defines Security Testing strategy at the team/product level. Establishes security testing standards and best practices. Conducts reviews and coordinates penetration testing.
QA Security Engineer
Pflicht

Defines security testing standards: testing methodology, tool selection, reporting requirements. Coordinates security testing across the development lifecycle.
Security Analyst
Pflicht

Defines security analysis and vulnerability management strategy. Establishes vulnerability scanning policies, risk assessment frameworks, and remediation SLA requirements. Coordinates threat intelligence integration for security testing prioritization. Creates security analytics capabilities for organization-wide vulnerability visibility.

Principal 7 Anforderungen

Application Security Engineer
Pflicht

Defines the organization's QA strategy. Shapes quality engineering culture. Implements platform testing solutions.
DevSecOps Engineer
Pflicht

Designs corporate security testing framework unifying SAST, DAST, IAST, SCA, fuzzing and pentest into a single program. Defines AI-assisted security testing strategy. Develops security testing maturity model. Manages relationships with external security researchers.
Penetration Testing Engineer
Pflicht

Defines enterprise offensive security strategy. Shapes organizational red team capabilities and continuous security validation programs. Drives adoption of adversary simulation and breach-and-attack simulation (BAS) platforms. Coordinates with industry on emerging threats and offensive security research. Represents the organization in security conferences and standards bodies.

QA Automation Engineer
Pflicht

Defines organizational security testing strategy as part of overall quality engineering. Builds security-aware testing culture across all development teams. Implements platform solutions for automated security validation at scale. Drives adoption of AI-assisted security testing and continuous security assurance practices.
QA Engineer (Manual)
Pflicht

Defines organizational QA strategy. Fosters quality engineering culture. Implements platform solutions for testing.
QA Security Engineer
Pflicht

Designs organizational security testing strategy: continuous security assurance, automated compliance verification, security testing center of excellence.
Security Analyst
Pflicht

Defines enterprise security monitoring and vulnerability management strategy. Shapes organizational security analytics capabilities and risk management frameworks. Drives adoption of advanced threat detection and automated security assessment at scale. Coordinates compliance requirements and industry standards for security testing practices.

Community

👁 Beobachten ✏️ Aenderung vorschlagen

Kommentare werden geladen...