Exam Essentials: Chapter 15

Posted byChrisPosted inUncategorized

Chapter 15: Security Assessment & Testing

Understand the importance of security assessment & testing programs

  • Security assessment & testing programs provide an important mechanism for validating the ongoing effectiveness of security controls.
  • They include a variety of tools, including vulnerability assessments, penetration tests, software testing, audits & security management tasks designed to validate controls.
  • Every organisation should have a security assessment & testing program defined and operational.

Conduct vulnerability assessments & penetration tests

  • Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications & networks.
  • These flaws (which may include missing patches, misconfigurations or faulty code) expose the organisation to security risks.
  • Penetration tests also use these same tools but supplement them with attack techniques where an assessor attempts to exploit vulnerabilities and gain access to the system.

Perform software testing to validate code moving into production

  • Software testing techniques verify that code functions as designed and does not contain security flaws.
  • Code review uses a peer review process to formally/informally validate code before deploying it in production.
  • Interface testing assesses the interactions between components and users with API testing, user interface testing and physical interface testing.

Understand the difference between static & dynamic software testing

  • Static software testing techniques, such as code reviews, evaluate the security of software without running it, by analysing either the source code or the compiled application.
  • Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else.

Explain the concept of fuzzing

  • Fuzzing uses modified inputs to test software performance under unexpected circumstances.
    • Mutation fuzzing modifies known inputs to generate synthetic inputs that may trigger unexpected behaviour.
    • Generational fuzzing develops inputs based on models of expected inputs to perform the same task.

Perform security management tasks to provide oversight to the information security program

  • Security managers must perform a variety of activities to retain proper oversight of the information security program.
  • Log reviews, particularly for any administrator activities, ensure that systems are not misused.
  • Account management reviews ensure that only authorised users retain access to information systems.
  • Backup verification ensures that the organisation’s data protection process is functioning properly.
  • Key performance & risk indicators provide a high-level view of security program effectiveness.

Conduct or facilitate internal & third-party audits

  • Security audits occur when a third party performs an assessment of the security controls protecting an organisation’s internal staff, and are intended for management use.
  • External audits are performed by a third-party audit firm and are generally intended for the organisation’s governing body.

Leave a comment

Design a site like this with WordPress.com
Get started