ISC2 CISSP — Certified Information Systems Security Professional · Domain 6 · 12% of exam

Security Assessment and Testing

Drill 15 practice questions focused entirely on Security Assessment and Testing for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer15 questions
Question 1 of 15

A security analyst is establishing a recurring log review process for a financial application. Management wants the review to reliably surface privileged-account misuse without generating overwhelming volumes of raw event data for humans to read manually. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 15

A SaaS provider's enterprise customers increasingly demand independent assurance that the provider's controls over customer data are designed and operating effectively over a period of time. The provider's internal audit team already performs quarterly control reviews, but customers state that internal reports are insufficient for their own vendor risk programs. Which assessment approach BEST satisfies the customers' requirement?

Reviewed for accuracy · Report an issue
Question 3 of 15

A development team is preparing a web application for release. Security wants to identify insecure coding patterns such as improper input validation and use of deprecated cryptographic functions across the entire codebase, including code paths that may rarely execute at runtime. The team has full access to the source code and wants the earliest possible feedback in the development pipeline. Which testing approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 15

A security tester is evaluating a newly developed API that parses uploaded XML documents. The tester wants to systematically feed the application large volumes of malformed, unexpected, and random input to discover crashes, memory faults, and unhandled exceptions before attackers do. Which testing technique BEST fits this objective?

Reviewed for accuracy · Report an issue
Question 5 of 15

A security analyst is investigating a suspected multi-stage intrusion that touched a web server, an application server, and a database server. When correlating events across the three systems' logs in the SIEM, the analyst finds that the reconstructed timeline is inconsistent — some downstream events appear to occur before their upstream causes. Which condition is MOST likely undermining the analyst's ability to accurately correlate the log data?

Reviewed for accuracy · Report an issue
Question 6 of 15

A security team is reviewing the requirements and test plan for a new online banking transfer feature. Functional test cases confirm that legitimate users can move money between their own accounts. The security architect argues the test plan is incomplete because it does not model how an attacker might deliberately abuse the feature — for example, manipulating transaction amounts, replaying requests, or transferring from accounts they do not own. Which testing technique should be added to directly address this gap?

Reviewed for accuracy · Report an issue
Question 7 of 15

A financial services firm wants a penetration test that simulates the actions of a malicious insider who has legitimate standard-user network credentials but no documentation of the internal architecture. Leadership wants the test to realistically reflect what such an insider could discover and exploit while keeping the engagement time-efficient. Which testing approach best fits this objective?

Reviewed for accuracy · Report an issue
Question 8 of 15

A security manager has hired an external firm to conduct a black-box penetration test of the company's internet-facing applications. Before the testers begin any activity, the manager wants to ensure the engagement is legally defensible and that testers do not inadvertently disrupt production systems or exceed their authorized boundaries. Which document is MOST important to finalize and sign before testing begins?

Reviewed for accuracy · Report an issue
Question 9 of 15

A CISO is preparing a quarterly report for the board of directors. The security operations team already produces detailed dashboards showing patch counts, mean-time-to-detect, and phishing click rates for internal management. The board, however, wants indicators that give early warning when risk exposure is trending toward levels that could threaten business objectives. Which type of measurement should the CISO emphasize in the board report to best meet this need?

Reviewed for accuracy · Report an issue
Question 10 of 15

A security manager compiles quarterly vulnerability scan results to present to leadership. Over the past year the raw count of open critical vulnerabilities has risen from 40 to 65, but during the same period the organization deployed 300 new servers as part of a cloud migration. Leadership wants to understand whether the security posture is actually deteriorating. What should the manager do to produce the most meaningful analysis of the test output?

Reviewed for accuracy · Report an issue
Question 11 of 15

A retail company operates a customer-facing web application with a critical checkout process. The security operations team wants to proactively detect performance degradation and functional failures in the payment workflow before real customers are affected, especially during off-peak hours when few users are active. Which testing technique BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 12 of 15

A software security team reports that their automated unit test suite achieves 92% statement coverage on a new payment module. The security assessor reviewing the test strategy notes that several conditional branches containing input-validation logic are never exercised, even though the lines within them are counted as executed. Which action should the assessor recommend to most accurately measure whether the security-relevant logic is being adequately tested?

Reviewed for accuracy · Report an issue
Question 13 of 15

A financial services company is designing its annual security assessment strategy. The security team must decide how frequently to test each system category. The core payment processing platform is subject to PCI DSS, changes rarely, and handles the highest transaction volume. Executive management wants the assessment strategy to be defensible and aligned with both risk and compliance obligations, without wasting resources on low-value testing. Which approach should the team adopt when defining the assessment schedule for the payment platform?

Reviewed for accuracy · Report an issue
Question 14 of 15

A security analyst is tasked with assessing a fleet of internal Windows servers for missing patches and insecure configurations. The team wants the most accurate, comprehensive picture of vulnerabilities that could be exploited by an attacker who has already gained a foothold on the network. Which scanning approach should the analyst select?

Reviewed for accuracy · Report an issue
Question 15 of 15

A security analyst runs a monthly authenticated vulnerability scan across a mixed environment. The report lists over 4,000 findings ranked by raw CVSS base score. Management asks the analyst to prioritize remediation efforts to reduce actual organizational risk most effectively. Several 'Critical' CVSS findings are on internal test servers with no sensitive data and no external exposure, while a 'High' finding affects an internet-facing payment processing system holding cardholder data. What should the analyst do FIRST to prioritize remediation?

Reviewed for accuracy · Report an issue

More CISSP practice

Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.

← Back to CISSP overview