CISSP · Question #585
CISSP Question #585: Real Exam Question with Answer & Explanation
The correct answer is C: Threat modeling. Threat modeling is the earliest proactive security activity in the SDLC, identifying potential vulnerabilities during the design phase before any code is written. Implementing it first enables all subsequent security activities to be informed by a structured understanding of risk
Question
In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part of a comprehensive testing framework?
Options
- ASource code review
- BAcceptance testing
- CThreat modeling
- DAutomated testing
Explanation
Threat modeling is the earliest proactive security activity in the SDLC, identifying potential vulnerabilities during the design phase before any code is written. Implementing it first enables all subsequent security activities to be informed by a structured understanding of risks.
Common mistakes.
- A. Source code review occurs after code has already been written, meaning it is reactive to design decisions already made and misses architectural vulnerabilities introduced before the coding phase.
- B. Acceptance testing takes place near the end of the SDLC to verify that the system meets business requirements, making it one of the latest - not earliest - opportunities to detect security vulnerabilities.
- D. Automated testing (e.g., SAST/DAST) is applied during or after the coding phase and depends on existing code or running applications, so it cannot detect design-level vulnerabilities before development begins.
Concept tested. Earliest SDLC security activity using threat modeling
Reference. https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
Topics
Community Discussion
No community discussion yet for this question.