nerdexam
EC-Council

312-50V11 · Question #276

In the software security development life cycle process, threat modeling occurs in which phase?

The correct answer is A. Design. In Microsoft's and NIST's Secure Development Lifecycle (SDL/SDLC), threat modeling is formally conducted during the Design phase, before any code is written.

Information Security and Ethical Hacking Fundamentals

Question

In the software security development life cycle process, threat modeling occurs in which phase?

Options

  • ADesign
  • BRequirements
  • CVerification
  • DImplementation

How the community answered

(41 responses)
  • A
    93% (38)
  • B
    2% (1)
  • C
    5% (2)

Why each option

In Microsoft's and NIST's Secure Development Lifecycle (SDL/SDLC), threat modeling is formally conducted during the Design phase, before any code is written.

ADesignCorrect

Threat modeling occurs in the Design phase because it requires an understanding of the proposed system architecture, data flows, and trust boundaries - artifacts that are defined during design. Identifying threats at this stage allows security mitigations to be architected into the system rather than bolted on after implementation, significantly reducing remediation cost.

BRequirements

The Requirements phase focuses on gathering functional and non-functional requirements; threat modeling cannot be performed yet because the system architecture and data flow diagrams needed for threat analysis do not exist at this stage.

CVerification

The Verification phase involves testing and validating that security controls are correctly implemented - it occurs after design and implementation, too late to model and architect threat mitigations.

DImplementation

The Implementation phase is where developers write code according to the already-approved design; threat modeling should be complete before this phase so that developers can implement the required countermeasures.

Concept tested: Threat modeling placement in Secure SDLC design phase

Source: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

Topics

#threat modeling#SDLC#design phase#software security

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice