CISSP · Question #1305
In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?
The correct answer is B. The results of the tests represent a point-in-time assessment of the target(s).. Security test results reflect the state of a system at the specific moment testing occurred, not a continuous or permanent assessment. Communicating this limitation is critical for proper interpretation of findings.
Question
Options
- AThe target's security posture cannot be further compromised.
- BThe results of the tests represent a point-in-time assessment of the target(s).
- CThe accuracy of testing results can be greatly improved if the target(s) are properly hardened.
- DThe deficiencies identified can be corrected immediately
How the community answered
(27 responses)- A4% (1)
- B93% (25)
- D4% (1)
Why each option
Security test results reflect the state of a system at the specific moment testing occurred, not a continuous or permanent assessment. Communicating this limitation is critical for proper interpretation of findings.
Concluding that a target cannot be further compromised after a security test is a dangerous and inaccurate assumption, as no test guarantees exhaustive coverage of all attack vectors or zero-day vulnerabilities.
Security testing is inherently a point-in-time assessment, meaning vulnerabilities found (or not found) reflect the environment's state only during the testing window. New vulnerabilities, configuration changes, or newly deployed assets after the test are not captured, so reviewers must understand results can become outdated quickly. Conveying this sets accurate expectations and underscores the need for continuous monitoring and periodic retesting.
Hardening targets before testing would alter the environment being assessed and actually reduce the test's effectiveness at identifying real-world weaknesses, making this statement technically counterproductive and misleading.
Immediate remediation of all identified deficiencies is rarely feasible due to resource constraints, dependency management, change control processes, and risk prioritization, so stating this sets unrealistic and inaccurate expectations.
Concept tested: Security testing scope and point-in-time assessment limitations
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.