Assessment is the process of verifying that security controls are functioning as intended. This involves detailed auditing of every change made to the codebase and performing continuous risk analysis to prioritize which vulnerabilities pose the greatest threat to the organization.