Professional Documents
Culture Documents
Copy Link
For this reason, domain 6 of the CISSP certification covers security assessment
and testing, which comprises 12% of the exam material. We will explore
everything you need to know to pass domain 6 in this guide successfully.
It asks a related and equally important question: Are we building the product
correctly?
Both terms underscore the necessity and importance of early and ongoing
testing, not simply testing after a product has been built.
Both terms underscore the necessity and importance of early and ongoing
testing, not simply testing after a product has been built.
Testing strategies
Testing strategies can be considered from three broad contexts: internal,
external, and third party.
To identify risk
To advise testing processes and ensure risks are appropriately evaluated
To provide advice and support to stakeholders
Testing overview
Examines and tests individual components of an
Unit testing application. As specific aspects (units) of
functionality are finished, they can be tested.
Keep in mind that this is not an official framework and shouldn't be memorized; it
is meant to provide an overview and highlight that testing is required during
every stage of a system's life cycle from the start and throughout.
Testing techniques
Methods and tools
Several testing techniques can and should be utilized when developing an
application or other software, and they can be done via manual or automated
means.
Manual testing means a person or team of people is performing the tests. They
might be following a specific process, but they're actually sitting in front of a
computer, looking at code, testing a form by entering input, and so on.
Automated testing means that test scripts and batch files are being automatically
manipulated and executed by software. Thorough testing employs both
approaches to produce many outcomes and achieve the best results.
Runtime
Runtime specifically refers to whether an application is running.
With Static Application Security Testing (SAST), an application is not running, and
it's the underlying source code that is being examined. Static testing is a form of
white box testing because the code is visible.
Fuzz testing is a form of dynamic testing. The entire premise behind fuzz testing
is chaos. In other words, fuzz testing involves throwing randomness at an
application to see how it responds and where it might "break." Fuzz testing is
quite effective because application developers and programmers tend to be
very logical people, and the software they develop tends to reflect this fact.
No access to the source code exists (also known as black box testing)
Access to the source code does exist (also known as white box testing)
Both types of testing provide value and can be mixed and matched as needed to
provide comprehensive results.
Test types
When a system is running, it's possible to test it as if a user was using it.
Specifically, the system can be tested in a few different ways—via positive
testing, negative testing, or misuse testing.
Boundary value analysis requires first identifying where there are changes in
behavior. Once the boundaries have been identified, testing can be focused on
either side of the boundaries, as this is where there are most likely to be bugs.
Equivalence partitioning starts with the same first step of boundary value
analysis – identifying the boundaries, and then goes a step further to identify
partitions. Partitions are groups of inputs that exhibit the same behavior.
Test coverage analysis
Test coverage analysis, or simply "coverage analysis," refers to the relationship
between the amount of source code in a given application and the percentage
of code that has been covered by the completed tests.
Reconnaissance
Enumeration
Vulnerability analysis
Exploitation
Reporting
Testing techniques
Vulnerability assessments and penetration testing can be quite nuanced, and
several variables come into play. These variables include perspective, approach,
and knowledge.
Perspective
Approach
Knowledge
Vulnerability management
Vulnerability scanning
CVE, also known as Common Vulnerability & Exposures dictionary, is "a list of
records—each containing an identification number, a description, and at least
one public reference—for publicly known cybersecurity vulnerabilities."
CVSS, known as Common Vulnerability Scoring System, reflects a method to
characterize a vulnerability through a scoring system considering various
characteristics.
With any type of monitoring system, two types of alerts often show up:
Log review and analysis is a best practice that should be used in every
organization. Logs should include what is relevant, be proactively reviewed, and
be especially scrutinized for errors and anomalies that point to problems,
modifications, or breaches.
Generation
Transmission
Collection
Normalization
Analysis
Retention
Disposal
Circular overwrite limits the maximum size of a log file by overwriting entries,
starting from the earliest.
Clipping levels focus on when to log a given event based upon threshold
settings, and log file sizes are limited as a result.
Regression testing
Compliance checks
Key risk and performance indicators help inform goal setting, action planning,
performance, and review, among other things.
Key risk indicators (KRI) are forward-looking indicators and aid risk-related
decision-making.
Account management
Management review and approval
Backup verification
Training and awareness
Disaster Recovery (DR) and Business Continuity (BC)
Test output
The results of security assessments and testing should include steps related to
remediation, exception handling, and ethical disclosure.
Audit process
Over the years, audit standards have evolved and matured over the years from
SAS70 → SSAE 16 → SSAE 18.
The SSAE 18 standard defines three types of Service Organization Controls
(SOC) reports:
SOC 1 reports are quite basic and focus on financial reporting risks.
SOC 2 reports are much more involved and focus on the controls related to
the five trust principles: security, availability, confidentiality, processing
integrity, and privacy.
SOC 3 reports are stripped-down versions of SOC 2 reports—typically used
for marketing purposes.
From the types of reports defined, it should be clear that SOC 2, Type 2 are the
most desirable reports for security professionals, as they report on the operating
effectiveness of the security controls at a service provider over a period of time.
Filter out all the irrelevant information and focus on what serves you. Enjoy clear
step-to-step guidance and live support from CISSP experts to achieve your
goals. Enroll now in our CISSP MasterClass here and become the security
professional you want to be.
CISSP Guidebook
CCSP
CCSP MasterClass
Flashcard App
Follow Us