Exam CISSP topic 1 question 123 discussion

Conduct Security Control Testing Organizations must manage the security control testing that occurs to ensure that all security controls are tested thoroughly by authorized individuals. The facets of security control testing that organizations must include are vulnerability assessments, penetration testing, log reviews, synthetic transactions, code review and testing, misuse case testing, test coverage analysis, and interface testing. https://www.pearsonitcertification.com/articles/article.aspx?p=2931575&seqNum=2

the Answer should be A: all these testing are more related to applications development and sustaining. The common term for log reviews, synthetic transactions, and code reviews is "Monitoring." Monitoring involves systematically observing, checking, and analyzing various aspects of a system, application, or codebase to ensure its proper functioning, security, and performance. Each of the activities mentioned falls under the broader umbrella of monitoring

The common term for log reviews, synthetic transactions, and code reviews is "security control testing" (option C). Log reviews involve analyzing system logs to identify any suspicious or anomalous activities that may indicate security incidents or policy violations. Synthetic transactions refer to simulated interactions with an application or system to test its behavior and response. Code reviews involve examining the source code of an application or software to identify security vulnerabilities and ensure compliance with coding standards. All these activities fall under the broader category of security control testing, which aims to assess the effectiveness of security controls implemented within an organization's systems and applications. By conducting security control testing, organizations can identify weaknesses, vulnerabilities, and compliance gaps in their security measures and take appropriate remedial actions.

According to Chapter 15 of the Official Study Guide, 9th edition, Security Control Testing is comprised of the following: Vulnerability assessment Penetration testing Log reviews Synthetic transactions Code review and testing Misuse case testing Test coverage analysis Interface testing Breach attack simulations Compliance checks

Yep "C" it is. I thought of Spiral development functional testing first... but that's just an SDLC model used for risk management.