nerdexam
(ISC)2

CISSP · Question #1371

Which of the following techniques evaluates the secure Bet principles of network or software architectures?

The correct answer is A. Threat modeling. Threat modeling is a structured process used to identify, evaluate, and address security weaknesses in network or software architectures, including validating secure design principles. It helps teams proactively assess how systems can be attacked and what controls are needed.

Submitted by andreas_gr· Mar 5, 2026Software Development Security

Question

Which of the following techniques evaluates the secure Bet principles of network or software architectures?

Options

  • AThreat modeling
  • BRisk modeling
  • CWaterfall method
  • DFuzzing

How the community answered

(23 responses)
  • A
    91% (21)
  • B
    4% (1)
  • C
    4% (1)

Why each option

Threat modeling is a structured process used to identify, evaluate, and address security weaknesses in network or software architectures, including validating secure design principles. It helps teams proactively assess how systems can be attacked and what controls are needed.

AThreat modelingCorrect

Threat modeling is a security engineering technique specifically used to evaluate architectural designs against secure design principles (such as least privilege, defense in depth, and Zero Trust/BET principles) by systematically identifying threats, vulnerabilities, and mitigations early in the design phase. Frameworks like STRIDE, PASTA, and DREAD are commonly used during threat modeling to assess how well an architecture adheres to security best practices. This makes it the correct choice for evaluating the security posture of network or software architectures.

BRisk modeling

Risk modeling is a broader quantitative or qualitative process focused on assessing and prioritizing business risks, not specifically evaluating the secure design principles of a network or software architecture.

CWaterfall method

The Waterfall method is a sequential software development lifecycle (SDLC) methodology that defines phases of development (requirements, design, implementation, testing), but it is not a security evaluation technique and does not assess secure design principles.

DFuzzing

Fuzzing is a dynamic application security testing (DAST) technique that sends malformed or random inputs to a running application to discover bugs and vulnerabilities, but it does not evaluate architectural secure design principles.

Concept tested: Threat modeling for evaluating secure architecture principles

Source: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

Topics

#threat modeling#security architecture#software security#risk assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice