Security Assessment and Testing
5 lessons ~2h
Verifying that controls actually work. Covers assessment/test/audit strategy, the full toolbox of control testing (vulnerability scans, pen tests, code review, misuse cases), collecting process data (KPIs/KRIs), reporting with remediation, and internal/external/third-party audits.
Recommended reading
Lessons
- 6.1
Design and validate assessment, test, and audit strategies
Plan testing by who performs it and where. Distinguish internal, external, and third-party assessments across on-prem, cloud, and hybrid locations.
~20 min
- 6.2
Conduct security control testing
The core lesson. Know each technique and when to use it: vulnerability assessment vs penetration test (red/blue/purple), log review, synthetic transactions, code review/testing, misuse cases, interface testing, coverage analysis, breach-attack simulation, and compliance checks.
~45 min
- 6.3
Collect security process data
Gather the technical and administrative evidence that proves the program runs: account management, management review, KPIs/KRIs, backup verification, training, and DR/BC data.
~25 min
- 6.4
Analyze test output and generate report
Turn findings into action: remediation, exception handling, and ethical disclosure of vulnerabilities.
~20 min
- 6.5
Conduct or facilitate security audits
Audits validate compliance and effectiveness. Know the internal/external/third-party distinction (e.g., SOC 1/2/3 reports) across deployment locations.
~20 min