Report the Result of Security Testing

Learning Objectives

After completing this unit, you’ll be able to:

Record test data in a test evaluation report.
Determine the level of assurance of developed capabilities and compliance with requirements.
Make recommendations based on test results.

Record Test Data

In the last step of the security testing and evaluation (ST&E) process, you record the test data, and provide information to decision makers to determine whether the system is achieving its stated security objectives. Once you analyze test data, you next translate the data and test results into evaluative conclusions. You then present a summary analysis of the test results and methods of testing for review and assessment.

ST&E specialists as judges at a contest, holding up placards to indicate how many stars (8,9, and 10) they give a system

When recording the test data, you provide all the necessary information regarding the security testing for the benefit of the key stakeholders, including the developers. The goal is to document the observed behavior of the system when it is tested, compared to the expectations of the customer. You also detect, log, and report defects to developers, and if the test is not successful, retest.

Determine Level of Assurance and Compliance with Requirements

Remember the information assurance testing you did in the previous unit? This testing helps you examine the level of assurance of developed capabilities. You determine the system’s compliance with defined security specifications and requirements, and create auditable evidence of security measures. Through testing, you assessed the effectiveness of security capabilities, and your report should now compare expected results with the real outcome. In your report, you answer the following questions:

Is the system performing securely?
Is it being used securely?
Did it address security design specifications?
Did the release meet its security objectives?
Did it deliver planned security benefits and are the stakeholders satisfied?

Make Recommendations Based on Test Results

The final piece of the puzzle in reporting on test results is to make recommendations to ensure compliance, improve the system, and enhance the testing implementation process. You share lessons learned from the testing process. You also create specific action items related to any needed modifications to the system or surrounding processes, and communicate them to stakeholders, to address areas for further improvement. You also update the testing plans and scripts for use with the next release. Finally, you help monitor the system performance once it’s live in production to validate secure operations, and you conduct follow-up evaluations following implementation of a new release.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column to the True or False option area in the right column. When you’re done, click Submit to check your work. If you’d like to start over, click Reset.

Great work!

Sum It Up

In this module, you’ve been introduced to methods for planning and developing an ST&E strategy. You’ve also learned how to execute the ST&E strategy and report on the security of the system.

Along with the information you reviewed in the ST&E Specialist module, you should now have a better understanding of what it takes to be an ST&E specialist. You can learn more about the in-demand cybersecurity skills necessary to get a job in ST&E, or another field, and learn more from real security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.