In secure SDLC, when should threat modeling be performed?
A CISSP practice question covering Domain 8: Software Development Security. Try answering before reading the explanation below.
Show options & answer
Why "During the design phase, before significant code is written" is the right answer
Threat modeling pays off before code exists — it is cheapest to redesign on a whiteboard. STRIDE, PASTA, and attack trees fit at design time. Doing it later forces expensive refactors. Pen testing finds issues but is too late and too narrow to substitute for design-phase modeling.
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.