CISSP DOMAIN 6: Security Assessment and Testing

What is Static Testing?

Testing code without executing it (code reviews, walkthroughs)

What is Dynamic Testing?

Testing code while it is running

What is Fuzzing?

Sending random or malformed input to test for crashes

What is Pentesting?

Simulated attack to test security defenses

What are Synthetic Transactions?

Scripts that simulate user activity

What is a Security Assessment?

Comprehensive evaluation of security controls

What is a Security Audit?

Evaluation against a standard

What is an Internal Audit?

Conducted to improve internal security

What is an External Audit?

Conducted by third party

What is a Structured Audit?

Formal audit for compliance validation

What is SOC 1?

Focuses on financial controls

What is SOC 2?

Focuses on security and operational controls

What is SOC 3?

Public summary report

What is Type 1 SOC report?

Point-in-time assessment

What is Type 2 SOC report?

Assessment over time (usually 6 months)

What is an On-Premise Environment?

Infrastructure managed internally

What are Legacy Systems?

Older systems with higher risk

What is Shared Responsibility Model?

Security responsibilities shared between provider and customer

What is Data Sovereignty?

Data governed by laws of location

What are you responsible for in IaaS?

OS, applications, and data

What are you responsible for in PaaS?

Applications and data

What are you responsible for in SaaS?

Data (and sometimes access control)

What is Vulnerability Scanning?

Automated scanning for known vulnerabilities

What is War Dialing?

Scanning phone numbers for modems

What is War Driving?

Mapping wireless networks

What are Network Attacks?

Attacks targeting clients, servers, or web apps

What are Wireless Tests?

Testing wireless security risks

What is Exception Handling?

Managing errors in applications

What is White Box Testing?

Full knowledge of system internals

What is Black Box Testing?

No knowledge of system internals

What is Unit Testing?

Testing individual components

What is Integration Testing?

Testing interactions between components

What is Component Interface Testing?

Testing data flow between components

What is Operational Acceptance Testing?

Ensures system readiness before deployment

What is Installation Testing?

Ensures proper installation

What is Regression Testing?

Testing after changes to ensure no new issues

What is Mutating Fuzzing?

Modifying real data inputs for testing

What is All-Pairs Testing?

Testing all combinations of input pairs

What is Misuse Case Testing?

Testing how attackers misuse systems

What is Test Coverage Analysis?

Measures how much code is tested