ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization needs a repeatable approach for assessing the effectiveness of technical, physical, and operational controls during penetration tests across its global data centers. Which standard best fits this requirement when you are building the security testing strategy?

ISO/IEC 27034 Application Security standard
Open Source Security Testing Methodology Manual (OSSTMM)
NIST Special Publication 800-64
OWASP Application Security Verification Standard (ASVS)

Report Issue

Answer Description

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive framework for operational security testing. It provides detailed, scientific procedures for evaluating network, wireless, telecommunications, human, and physical security controls and produces consistently structured, quantitative test results that facilitate repeatable assessments.

ISO/IEC 27034 centers on integrating security into the application development life-cycle rather than defining penetration-testing procedures. NIST SP 800-64 (now withdrawn) offered SDLC-oriented security guidance but no concrete penetration-testing methodology. The OWASP Application Security Verification Standard (ASVS) is focused narrowly on web-application control verification, not on broader operational or physical security domains.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.