CISSP · Question #1430
A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code. Which of the following is the FIRST Software Development Life
The correct answer is C. Development. Static code analysis and automated code review tools are first applied during the Development phase, when actual source code exists to be analyzed for flaws, back doors, or malicious logic.
Question
Options
- ADesign
- BTest
- CDevelopment
- DDeployment
How the community answered
(40 responses)- A8% (3)
- B5% (2)
- C73% (29)
- D15% (6)
Why each option
Static code analysis and automated code review tools are first applied during the Development phase, when actual source code exists to be analyzed for flaws, back doors, or malicious logic.
The Design phase produces architecture diagrams, specifications, and threat models - not actual source code - so automated code review tools have no code to analyze at this stage.
The Test phase does involve security testing, but it comes after Development; automated code scanning can and should first occur during Development, making Test a later - not the first - phase for this activity.
The Development phase is the first SDLC phase where executable or reviewable source code actually exists, making it the earliest point at which automated static analysis tools (SAST) can scan for application flaws, back doors, or malicious code. Integrating security review at this stage follows the 'shift-left' security principle, catching vulnerabilities as early as possible before they propagate to later phases. Running these tools in Development is earlier than Testing, making it the FIRST phase where this activity occurs.
Deployment is one of the last SDLC phases, occurring after code has already been developed and tested; waiting until Deployment to perform code review would be far too late and contradicts secure SDLC best practices.
Concept tested: SDLC phase for static application security testing
Source: https://learn.microsoft.com/en-us/azure/devops/learn/devops-at-microsoft/security-in-devops
Topics
Community Discussion
No community discussion yet for this question.