nerdexam
(ISC)2

CISSP · Question #1131

An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?

The correct answer is C. Perform incremental assessments.. When integrating security reviews into the system development lifecycle (SDLC), incremental assessments align security checks with each development phase, catching vulnerabilities early and continuously.

Submitted by ricky.ec· Mar 5, 2026Software Development Security

Question

An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?

Options

  • AEngage a third-party auditing firm.
  • BReview security architecture.
  • CPerform incremental assessments.
  • DConduct penetration testing.

How the community answered

(60 responses)
  • A
    15% (9)
  • B
    3% (2)
  • C
    73% (44)
  • D
    8% (5)

Why each option

When integrating security reviews into the system development lifecycle (SDLC), incremental assessments align security checks with each development phase, catching vulnerabilities early and continuously.

AEngage a third-party auditing firm.

Engaging a third-party auditing firm is a point-in-time activity typically used for compliance validation, not a continuous technique integrated throughout system development.

BReview security architecture.

Reviewing security architecture is only one phase-specific activity focused on design, not a comprehensive technique that spans the entire development lifecycle.

CPerform incremental assessments.Correct

Performing incremental assessments means security is evaluated at each stage of development (requirements, design, coding, testing, deployment), which is the foundational principle of a Secure SDLC (S-SDLC). This approach reduces remediation costs by identifying vulnerabilities early and ensures security is built in rather than bolted on, aligning with frameworks like NIST SP 800-64 and OWASP SAMM.

DConduct penetration testing.

Penetration testing is a late-stage assessment technique performed after a system is built, making it reactive rather than proactive when integrated into the development process.

Concept tested: Security integration throughout the SDLC using incremental assessments

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#SDLC security#security assessment#system development#continuous integration

Community Discussion

No community discussion yet for this question.

Full CISSP Practice