Introduction
This domain focuses on how organizations verify that security controls are properly implemented and effective. It includes testing, auditing, vulnerability management, and continuous monitoring.
For ICT professionals, assessment and testing are critical because security controls that are not tested may fail silently, leaving systems exposed to real-world attacks.
Outcome 1
Understand different testing methods and when to apply them.
Outcome 2
Evaluate effectiveness of security controls and identify weaknesses.
Outcome 3
Interpret results and improve security posture continuously.
Figures
Assessment lifecycle
Plan
Scan
Test
Report
Improve
Testing types
SAST
DAST
Pentest
Audit
Monitoring
Case Examples
Missed vulnerability
A critical vulnerability remains undetected due to lack of scanning.
- Implement regular vulnerability scans
- Apply patch management
Weak testing coverage
Security controls exist but are never validated in real scenarios.
- Perform penetration testing
- Conduct audits and reviews
Glossary (50 Terms)
| # | Term | Definition |
|---|---|---|
| 1 | Security Assessment | A structured evaluation of security controls to determine whether they are properly implemented and effective in protecting systems and data. |
| 2 | Vulnerability Assessment | The process of identifying, classifying, and prioritizing vulnerabilities in systems, applications, and networks. |
| 3 | Penetration Testing | A simulated attack on a system to identify exploitable vulnerabilities and assess real-world security defenses. |
| 4 | Audit | A formal review of systems and processes to ensure compliance with policies, standards, and regulations. |
| 5 | Monitoring | Continuous observation of systems and networks to detect anomalies, threats, or policy violations. |
| 6 | SAST | Static Application Security Testing analyzes source code without executing it to identify vulnerabilities early in development. |
| 7 | DAST | Dynamic Application Security Testing evaluates running applications to identify vulnerabilities during execution. |
| 8 | Security Testing | The process of evaluating systems to identify vulnerabilities, misconfigurations, and weaknesses that could be exploited. |
| 9 | Test Plan | A documented approach outlining scope, objectives, and methods used during security testing activities. |
| 10 | Test Coverage | The extent to which testing activities evaluate different components, functions, and scenarios within a system. |
| 11 | Threat Modeling | The process of identifying potential threats and vulnerabilities during system design and development. |
| 12 | Code Review | Manual or automated examination of source code to identify security flaws and ensure compliance with coding standards. |
| 13 | Configuration Review | Evaluation of system configurations to ensure secure settings and compliance with security policies. |
| 14 | Log Analysis | The process of reviewing system and application logs to detect suspicious activities and security incidents. |
| 15 | Continuous Monitoring | Ongoing assessment of systems and controls to detect changes, vulnerabilities, or threats in real time. |
| 16 | Risk Assessment | The process of identifying and evaluating risks to determine their potential impact and likelihood. |
| 17 | Security Metrics | Quantitative measures used to evaluate the effectiveness of security controls and overall security posture. |
| 18 | Compliance Testing | Verifying that systems and processes meet regulatory, legal, and policy requirements. |
| 19 | Baseline | A standard configuration or performance level used as a reference point for security assessments. |
| 20 | Scanning | Automated process of identifying vulnerabilities or misconfigurations within systems or networks. |
| 21 | False Positive | A test result indicating a vulnerability that does not actually exist, requiring validation. |
| 22 | False Negative | A failure to detect an existing vulnerability, potentially leaving systems exposed. |
| 23 | Exploit | A method or tool used to take advantage of a vulnerability in a system. |
| 24 | Security Control Testing | Evaluating whether implemented controls function correctly and effectively mitigate risks. |
| 25 | Red Team | A group that simulates adversary attacks to test organizational security defenses. |
| 26 | Blue Team | A group responsible for defending systems against attacks and responding to incidents. |
| 27 | Purple Team | A collaborative approach combining red and blue team efforts to improve security testing and defense. |
| 28 | Security Testing Tools | Software used to automate vulnerability scanning, testing, and analysis activities. |
| 29 | Security Assessment Report | A document summarizing findings, vulnerabilities, and recommendations identified during testing. |
| 30 | Remediation | The process of fixing identified vulnerabilities and improving security controls. |
| 31 | Patch Management | The process of updating systems to fix vulnerabilities and improve security. |
| 32 | Penetration Scope | The defined boundaries and targets included in a penetration test engagement. |
| 33 | Test Environment | A controlled setting where security tests are performed without impacting production systems. |
| 34 | Live Testing | Security testing conducted on operational systems, requiring careful planning to avoid disruption. |
| 35 | Internal Testing | Testing performed from within the organization’s network to simulate insider threats. |
| 36 | External Testing | Testing conducted from outside the network to simulate external attacker behavior. |
| 37 | Black Box Testing | Testing without prior knowledge of the system, simulating an external attacker’s perspective. |
| 38 | White Box Testing | Testing with full knowledge of the system, including source code and architecture. |
| 39 | Gray Box Testing | Testing with partial knowledge of the system to balance realism and efficiency. |
| 40 | Security Benchmark | A standard guideline used to evaluate system configurations and security practices. |
| 41 | Security Posture | The overall strength of an organization’s security controls and readiness against threats. |
| 42 | Control Validation | Confirming that security controls are correctly implemented and operating as intended. |
| 43 | Evidence Collection | Gathering data during testing to support findings and conclusions. |
| 44 | Forensic Readiness | Preparation to collect and preserve evidence for investigations. |
| 45 | Security Testing Framework | A structured approach guiding testing processes and methodologies. |
| 46 | Automation | Using tools to perform repetitive testing tasks efficiently and consistently. |
| 47 | Manual Testing | Human-driven testing that identifies complex vulnerabilities tools may miss. |
| 48 | Risk-Based Testing | Prioritizing testing efforts based on risk levels and potential impact. |
| 49 | Continuous Improvement | Ongoing enhancement of security controls based on testing results and evolving threats. |
| 50 | Security Validation | The process of ensuring systems meet security requirements and perform as expected under testing conditions. |