ISC2 CISSP Practice Question

The correct answer is integrating security activities throughout all phases of development. This shift-left approach embeds threat modeling, secure coding, and security testing early and continuously, so vulnerabilities are discovered when they are cheapest and least disruptive to fix.

Conducting a thorough penetration test just before release is useful but finds only a sample of issues late in the process, when remediation is costly.

Adding a dedicated security review after development reflects an outdated waterfall gate; the fixes it uncovers often require re-work or are waived to meet deadlines.

Implementing extensive security monitoring in production is reactive. While monitoring is essential for detection and response, it cannot prevent insecure code from being created; it must complement-not replace-secure development activities.