Certified Information Systems Security Professional (CISSP) — Question 90

Which of the following is the BEST method to identify security controls that should be implemented for a web-based application while in development?

Answer options

• A. Agile software development
• B. Secure software development
• C. Application threat modeling
• D. Penetration testing

Correct answer: C

Explanation

Application threat modeling is essential in identifying potential security vulnerabilities and necessary controls during the development of a web-based application. While Agile and Secure software development practices contribute to security, they do not specifically focus on identifying threats. Penetration testing is conducted after development to find security flaws but is not suitable for identifying controls during the development phase.