Question: In the SDLC, where does secure coding fit?

A. Implementation

B. Maintenance

C. Design

D. Deployment

Correct Answer:  A

Explanation:

A. Implementation
The Implementation phase (also known as the Development or Coding phase) is where developers translate design documents into functional source code.

Why it's the Answer: Secure coding is the act of writing code that is resistant to attack. This is where developers use techniques like input validation, output encoding, and parameterized queries to prevent flaws like SQL Injection or Cross-Site Scripting (XSS).

Tools Used: This phase is where Static Application Security Testing (SAST) tools are integrated into the IDE (Integrated Development Environment) or the CI/CD pipeline to catch vulnerabilities as the code is being written.

B. Maintenance
The Maintenance phase is the longest stage of the SDLC, occurring after the software is live.

The Focus: Security in this phase involves Patch Management, vulnerability monitoring, and responding to newly discovered exploits (Zero-days).

The Limitation: While you might write "secure code" to fix a bug discovered in production, this is a reactive measure. The primary "secure coding" effort should have occurred long before the software reached this stage to reduce the total cost of ownership.

C. Design
The Design phase is where the technical blueprint of the application is created.

Strategic vs. Tactical: This phase is about Secure Design, not secure coding. Activities here include Threat Modeling, defining security requirements, and choosing encryption standards.

The Distinction: Design tells you what security features to build; Implementation is the act of coding those features correctly. You can have a perfectly secure design that is undermined by poor coding practices (like a buffer overflow in a secure login module).

D. Deployment
Deployment is the transition of the software from the testing environment to the production environment.

Operational Security: Security at this stage focuses on Secure Configuration, hardening the underlying servers, and managing SSL/TLS certificates.

The Limitation: By the time you reach deployment, the coding is finished. If you discover a coding flaw during deployment, you usually have to roll back the release to the Implementation phase to fix it, which causes significant business delays.

Key Takeaway for the CISSP Exam

• SDLC Security Mapping:
• Requirements: Security Functional Requirements / Privacy Impact Assessment.
• Design: Threat Modeling / Attack Surface Analysis.
• Implementation: Secure Coding / Static Analysis (SAST).
• Testing: Dynamic Analysis (DAST) / Pen Testing / Fuzzing.
• Maintenance: Patching / Continuous Monitoring.