A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?
Trap 1: Implementation
Performing threat modeling during implementation is late; vulnerabilities identified may require costly rework.
Trap 2: Testing
Testing is reactive; threat modeling should be proactive and occur earlier in the SDLC.
Trap 3: Requirements gathering
Threat modeling typically requires a design to analyze, so it is not usually performed during requirements gathering.
- A
Implementation
Why wrong: Performing threat modeling during implementation is late; vulnerabilities identified may require costly rework.
- B
Design
Threat modeling is a design-time activity that helps identify and address security threats before implementation.
- C
Testing
Why wrong: Testing is reactive; threat modeling should be proactive and occur earlier in the SDLC.
- D
Requirements gathering
Why wrong: Threat modeling typically requires a design to analyze, so it is not usually performed during requirements gathering.