CISSP · Question #1131
An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?
The correct answer is C. Perform incremental assessments.. When integrating security reviews into the system development lifecycle (SDLC), incremental assessments align security checks with each development phase, catching vulnerabilities early and continuously.
Question
An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?
Options
- AEngage a third-party auditing firm.
- BReview security architecture.
- CPerform incremental assessments.
- DConduct penetration testing.
How the community answered
(60 responses)- A15% (9)
- B3% (2)
- C73% (44)
- D8% (5)
Why each option
When integrating security reviews into the system development lifecycle (SDLC), incremental assessments align security checks with each development phase, catching vulnerabilities early and continuously.
Engaging a third-party auditing firm is a point-in-time activity typically used for compliance validation, not a continuous technique integrated throughout system development.
Reviewing security architecture is only one phase-specific activity focused on design, not a comprehensive technique that spans the entire development lifecycle.
Performing incremental assessments means security is evaluated at each stage of development (requirements, design, coding, testing, deployment), which is the foundational principle of a Secure SDLC (S-SDLC). This approach reduces remediation costs by identifying vulnerabilities early and ensures security is built in rather than bolted on, aligning with frameworks like NIST SP 800-64 and OWASP SAMM.
Penetration testing is a late-stage assessment technique performed after a system is built, making it reactive rather than proactive when integrated into the development process.
Concept tested: Security integration throughout the SDLC using incremental assessments
Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.