7.5. Reflection Checkpoint

Key Takeaways

• Vulnerability assessment identifies potential vulnerabilities; penetration testing confirms exploitable chains and real impact. Both are needed; neither substitutes for the other.
• CVSS Base Score = technical severity. Environmental Score = adjusted for your context. EPSS = exploitation probability. All three inform prioritization; Base Score alone is insufficient.
• Authenticated scans have fewer false positives and more coverage than unauthenticated scans; they require credential management.
• Black box = no prior knowledge. White box = full access. Gray box = partial knowledge (most realistic). All require signed authorization — testing without it is criminal.
• SOC 2 Type I = point-in-time design assessment. Type II = operating effectiveness over a period. Type II is substantially more valuable for vendor due diligence.
• SAST tests source code. DAST tests running apps from outside. SCA tests third-party components. No single method provides full coverage.
• Shift-left: security defects found in requirements cost 1× to fix; the same defect in production costs 100×.
• Risk-based vulnerability prioritization combines CVSS, EPSS, CISA KEV, asset criticality, and exposure context. No single score is sufficient for remediation decisions.
• Remediation tracking requires a closed loop: discover → prioritize → assign → remediate → verify → close. Risk acceptance without governance (documentation, compensating controls, approval authority, time-bound revalidation) is risk ignorance.
• KPIs measure process execution ("are we doing things right?"); KRIs measure risk exposure ("are we exposed to bad outcomes?"). Activity metrics (events processed, scans run) are not effectiveness metrics.
• Security metrics must be translated into business impact language to drive executive decisions.
• Untested backups are assumptions, not controls. Test restores are the only proof a backup works. DR testing progresses: checklist → tabletop → parallel → full interruption.
• Actual RTO and RPO measured during DR tests must be compared against BIA requirements. Any gap must be closed before the next test cycle.

Connecting Forward

Phase 8 (Domain 7 — Security Operations) is where everything from previous domains is executed day-to-day. Vulnerability management from Domain 6 feeds into patch management operations. Incident response depends on the monitoring capabilities built in Domain 6. Business continuity from Domain 1 gets implemented through Domain 7's disaster recovery procedures. Operations is where plans meet reality.

Self-Check Questions

• Your organization conducts quarterly vulnerability scans but has not done a penetration test in three years. The CISO argues scanning is "equivalent" since it covers more systems. Construct a two-paragraph response explaining why this equivalence is incorrect, using the language of risk management rather than technical terminology.
• A developer uses DAST in the CI/CD pipeline and SCA for dependency scanning. A security review finds a SQL injection flaw that neither tool detected. What type of testing would have found this flaw, why did DAST miss it, and what process change prevents this gap?