nerdexam
(ISC)2

CISSP · Question #585

In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part

The correct answer is C. Threat modeling. Threat modeling is the earliest proactive security activity in the SDLC, identifying potential vulnerabilities during the design phase before any code is written. Implementing it first enables all subsequent security activities to be informed by a structured understanding of risk

Submitted by layla.eg· Mar 5, 2026Software Development Security

Question

In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part of a comprehensive testing framework?

Options

  • ASource code review
  • BAcceptance testing
  • CThreat modeling
  • DAutomated testing

How the community answered

(36 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    89% (32)
  • D
    6% (2)

Why each option

Threat modeling is the earliest proactive security activity in the SDLC, identifying potential vulnerabilities during the design phase before any code is written. Implementing it first enables all subsequent security activities to be informed by a structured understanding of risks.

ASource code review

Source code review occurs after code has already been written, meaning it is reactive to design decisions already made and misses architectural vulnerabilities introduced before the coding phase.

BAcceptance testing

Acceptance testing takes place near the end of the SDLC to verify that the system meets business requirements, making it one of the latest - not earliest - opportunities to detect security vulnerabilities.

CThreat modelingCorrect

Threat modeling is performed during the design/requirements phase of the SDLC - before coding begins - making it the earliest possible intervention point for identifying vulnerabilities. By systematically identifying attack surfaces, threat actors, and potential weaknesses in the architecture, developers can design security controls into the system from the start rather than retrofitting them later. This 'shift-left' approach reduces remediation costs and forms the foundation upon which all other testing activities (code review, automated testing, acceptance testing) are prioritized and scoped.

DAutomated testing

Automated testing (e.g., SAST/DAST) is applied during or after the coding phase and depends on existing code or running applications, so it cannot detect design-level vulnerabilities before development begins.

Concept tested: Earliest SDLC security activity using threat modeling

Source: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

Topics

#SDLC security#Threat modeling#Vulnerability detection#Secure design

Community Discussion

No community discussion yet for this question.

Full CISSP Practice