Skip to content

Chapter 7: Domain 6: Security Assessment and Testing

Abstract

Domain 6 discusses security assessment and testing, which are critical components of any information security program. Organizations must accurately assess their real-world security, focus on the most critical components, and make necessary changes to improve. This domain describes two major components of assessment and testing: overall security assessments (including vulnerability scanning, penetration testing, security assessments, and security audits) and testing software via static and dynamic methods. Static testing tests the code passively: the code is not running. This includes walkthroughs, syntax checking, and code reviews. Dynamic methods include fuzzing, a type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Keywords

Breach attack simulations; Dynamic Application Security Testing; Fuzzing; Key performance indicator; Key risk indicator; Misuse case testing; Penetration testing; Static Application Security Testing; Synthetic transactions

Exam Objectives in this Chapter:

  • Security Control Testing
  • Collecting Security Process Data

Unique Terms and Definitions

  • Breach Attack Simulations (BAS)—Seek to automate penetration tests, and often run 24/7/365
  • Dynamic Application Security Testing (DAST)—Tests code while executing it
  • Fuzzing—A type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash
  • Key Performance Indicator (KPI)—A method for measuring availability
  • Key Risk Indicator (KRI)—A method for measuring risk
  • Misuse Case Testing—Modeling the impact of an adversary abusing an application
  • Penetration Testing—Authorized attempt to break into an organization’s physical or electronic perimeter (and sometimes both)
  • Static Application Security Testing (SAST)—Tests code passively: the code is not running
  • Synthetic Transactions—Also called synthetic monitoring; involves building scripts or tools that simulate activities normally performed in an application