Certified Information Security Manager (CISM) — Question 457

During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed?

Answer options

• A. Software code development
• B. Configuration management
• C. Requirements gathering
• D. Application system design

Correct answer: C

Explanation

The correct answer is C, as security controls should be integrated during the requirements gathering stage to ensure security considerations are part of the initial project specifications. Addressing security later in the SDLC, such as during software code development or design, may lead to vulnerabilities being overlooked or more costly to fix.