Measuring What Matters
Domain 6 accounts for 12% of the CISSP exam. Here’s a reality that catches many security teams: you can’t manage what you don’t measure. Assessment and testing tell you whether your security controls actually work, not just whether they’re installed.
In practice, this means vulnerability assessments, penetration testing, security audits, and continuous monitoring. Each serves different purposes and provides different insights.
Vulnerability Assessment vs Penetration Testing
Vulnerability assessments identify potential weaknesses. They scan systems, compare configurations against benchmarks, and report findings. Assessments are broad—they find many issues but don’t prove exploitability. Running Nessus against your network finds missing patches but doesn’t show what an attacker could actually accomplish.
Penetration testing proves vulnerabilities can be exploited. Testers attempt to breach defenses using attacker techniques. They chain vulnerabilities, pivot between systems, and demonstrate real impact. A pen test might start with a phishing email, use initial access to find credentials, then move laterally to reach sensitive data.
- Black box testing simulates external attackers with no internal knowledge. Testers start with just a company name and find their own way in. This tests detection and response as well as preventive controls.
- White box testing provides testers full access to documentation, source code, and architecture. More efficient for finding vulnerabilities but doesn’t test realistic attack scenarios.
- Gray box testing provides partial information—perhaps network diagrams but not credentials. Balances efficiency with realism.
- Red team exercises simulate advanced persistent threats over extended periods. Unlike time-boxed pen tests, red teams pursue objectives using any available technique, testing the full security program.
Security Audits
Audits verify compliance with policies, standards, and regulations. Internal audits assess against organizational requirements. External audits provide independent verification for stakeholders and regulators.
SOC 2 audits examine service organization controls. Type I reports assess control design at a point in time. Type II reports assess operational effectiveness over a period—typically six months to a year. SOC 2 Type II has become the de facto requirement for SaaS vendors.
Log Analysis and Monitoring
Logs provide the evidence trail for security events. SIEM systems aggregate logs from multiple sources, correlate events, and generate alerts. Effective log management requires collecting the right logs, retaining them appropriately, and analyzing them for security-relevant events.
Key metrics include Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). If it takes 200 days to detect a breach, attackers have months to achieve objectives. Reducing detection time directly reduces breach impact.
Software Testing
SAST (Static Application Security Testing) analyzes source code without execution. Finds vulnerabilities early but produces false positives. DAST (Dynamic Application Security Testing) tests running applications. Finds runtime issues SAST misses. IAST combines approaches using instrumentation.
Software Composition Analysis (SCA) identifies vulnerabilities in third-party libraries. Modern applications depend heavily on open-source components. A vulnerable library affects every application using it.
Connecting to Other Domains
Domain 7 acts on assessment findings during incident response. Domain 8 integrates security testing into development pipelines. Domain 1 uses assessment results for risk decisions.
The practice questions test understanding of when to use which assessment type and how to interpret findings for risk-based decisions.
Assessment and testing reveal the gap between intended security and actual security. Organizations that test regularly find problems before attackers do. Those that don’t discover their weaknesses the hard way.
Leave a Reply