nerdexam
(ISC)2

CISSP · Question #471

Which of the following practices provides the development of security and identification of threats in designing software?

The correct answer is D. Threat modeling. Threat modeling is a practice that provides the development of security and identification of threats in designing software. Threat modeling is a systematic process of identifying, analyzing, and mitigating the potential threats and vulnerabilities that could affect a software sy

Submitted by cyberguy42· Mar 5, 2026Software Development Security

Question

Which of the following practices provides the development of security and identification of threats in designing software?

Options

  • AStakeholder review
  • BRequirements review
  • CPenetration testing
  • DThreat modeling

How the community answered

(53 responses)
  • A
    2% (1)
  • B
    2% (1)
  • C
    6% (3)
  • D
    91% (48)

Explanation

Threat modeling is a practice that provides the development of security and identification of threats in designing software. Threat modeling is a systematic process of identifying, analyzing, and mitigating the potential threats and vulnerabilities that could affect a software system. Threat modeling helps to design secure software by applying security principles, such as defense in depth, least privilege, and fail-safe defaults, throughout the software development life cycle. Stakeholder review, requirements review, and penetration testing are not practices that provide the development of security and identification of threats in designing software, although they may contribute to the overall security assurance of the software. Stakeholder review is a process of obtaining feedback and approval from the stakeholders of a software project, such as customers, users, managers, and developers. Requirements review is a process of verifying and validating the functional and non- functional requirements of a software system, such as performance, usability, reliability, and security. Penetration testing is a process of simulating real-world attacks on a software system to identify and exploit its vulnerabilities and weaknesses.

Topics

#threat modeling#SDLC security#software design#vulnerability identification

Community Discussion

No community discussion yet for this question.

Full CISSP Practice