Which statement about secure development lifecycle is true?

• A. It should be considered only during deployment
• B. It should be ignored during testing
• C. It should be incorporated throughout the software-development life cycle
• D. It is optional

Answer: (C)

Security must be embedded across the entire software development life cycle. By starting with secure design and threat modeling, you identify risks early. During implementation, secure coding practices and code reviews prevent introducing weaknesses. Security testing—static analysis, dynamic analysis, and other testing—verifies that protections work and that new flaws aren’t introduced. At deployment and in ongoing operations, secure configurations, regular patching, and continuous monitoring maintain security over time. This continuous, lifecycle-wide approach reduces risk and aligns with PCI DSS, which treats secure development as a fundamental, non-optional part of building and maintaining software. Limiting security to deployment, ignoring testing, or making it optional would leave vulnerabilities unaddressed and fail to meet required standards.