Continuing the series, this article will focus on the Domain 6, which is “Security Assessment and Testing”. This is the simplest and shortest domain of all in CISSP.

The objective of this domain is to test candidates’ understanding of managing the risks involved in developing, operating and sustaining systems and capabilities. So let’s jump into main points with reference to the exam:

  • Understand the concept of Verification and Validation and difference between them:
    • Verification: It deals with consistency of the design output for all phases that the software/product undergoes. It also looks for appropriate documentation for all phases.
    • Validation: It instills the level of confidence that the software meets all the requirements and expectations as documented.
  • Familiarize with the types of common vulnerabilities: OWASP Top 10, SANS Top 25 etc.: Primarily, what are they and how are they exploited.
  • Understand the concept of log management. It is also important to know how this log management process within a large organization can be complicated with inclusion of factors like a high number of log sources, inconsistent log format, and varied timestamps among log sources etc.
  • Familiarize below points for security solutions like Antimalware, IDS/IPS, Web proxies, Authentication Servers, Routers, Firewalls, Network Access Control
    • What are their functions and their limitations?
    • Where are they placed in the network?
    • Difference between IDS&IPS, Firewalls & Routers.
  • Real User Monitoring and Synthetic Performance Monitoring:
    • Real User Monitoring: Its aim is to capture and analyze every transaction of every user of a website or application
    • Synthetic Performance Monitoring: This monitoring is done with the help of external agents where the agents imitate user actions.

      The difference between RUM and Synthetic transaction is that the Synthetic transactions do not tack real user sessions.

    • The following Testing techniques differences:
      • Black Box Testing vs White Box Testing: In Black box testing, the tester has no knowledge of the environment where in white box testing, tester has full knowledge of the environment.
      • Dynamic Testing vs Static Testing: In dynamic testing system under test is observed which is not the case in static box testing
      • Manual Testing vs Automated Testing: Manual testing is conducted by humans where automated testing is done with the help of applications, which automate the whole test.
    • Code-based testing is also known structural testing or white box testing whereas definition-based testing is also known as functional testing or black box testing.
    • Types of Structural Testing
      • Statement Coverage: Each statement is executed once
      • Decision Coverage: Each branch is executed once
      • Condition Coverage: Each program condition is executed once. This even extends to nested conditions.
      • Loop Coverage: All iterations of loop are tested once
      • Data Flow Coverage: Each data flow is executed once.
    • Types of Functional Testing:
      • Normal Testing: In this case, normal inputs are passed to the program. This by no means is a complete testing in itself.
      • Anti-normal or Robustness testing: This testing provides unexpected inputs to the program in order to test its functionality and stability.
    • Learn as much as you can about Regression Testing and Regression Analysis.
    • Negative Testing:
      • Unexpected inputs are given to the program. Important point to note that in negative testing, exception is expected. For example, negative testing can be done using following ways:
        • Test for required fields authenticity
        • Data type check
        • Input data size check
        • Input data validation check.
        • Web session testing

CISSP Instant Pricing- Resources

  • Interface testing: In this different components will be tested in combination with each other.
    • Server Interface: Compatibility of hardware, software and network connections.
    • External Interface: In this testing is done to check for application compatibility with external applications. Even all the browser compatibility is tested in this.
    • Internal Interface: In this all the internal components of applications are tested like site-plug-ins, browser crash, error handling etc.
  • Information Security Continuous Monitoring (ISCM): This comprises of an ongoing awareness of information security in an organization, which includes latest vulnerabilities information, threats, risk management etc.
  • Evolution of new SOC2 and SOC 3 reports: Earlier only SOC 1, which is also referred to as SSAE 16, was there whose main applicability is on risks around financial reporting. With SOC and SOC 3, applicability has included Security, availability, Confidentiality, Integrity and Privacy.

This article sums up the important points with reference to Domain 6.