Q: 4
When in the Software Development Life Cycle (SDLC) MUST software security functional
requirements be defined?
Options
Discussion
D. Security requirements have to be set right after business analysis and data categorization, not later in SDLC. If you wait until after vulnerability analysis or design phases, it's too late to integrate them fully.
Its D, not B. Vulnerability analysis comes after, trap for people mixing up SDLC order.
No way it's B, D is right. Security functional requirements come after business analysis and data categorization, not after vulnerability analysis.
I don’t see how B fits since vulnerability analysis happens after requirements are set, not before. Security functional requirements need both the business analysis and knowing your data’s sensitivity, so D is the right sequence. Could be a tricky one if you miss that order.
Option B. Requirements usually get clearer after vulnerability checks but before detailed design.
Yeah, D makes the most sense. Security functional requirements have to be based on both business needs and the data's importance, so you need that info first. Pretty sure that's what CISSP wants here.
B tbh, had something like this in a mock and picked B because vulnerability analysis feels like a logical spot for security requirements. Not fully sure though.
Its D
Totally agree, D is right. Security requirements go in after the functional analysis plus data categorization.
Be respectful. No spam.
