ISC2 CISSP Practice Question

The correct answer is Adding security-focused user stories and acceptance criteria to the product backlog. Integrating security-focused user stories and acceptance criteria into the product backlog ensures that security requirements are treated with the same priority as functional requirements and are addressed during regular development sprints. This approach aligns with agile principles by making security work visible, trackable, and part of the regular development workflow rather than a separate activity.

Conducting a comprehensive security review at the end of each release is incorrect because conducting security reviews only at the end of each release contradicts agile principles by creating a "mini-waterfall" approach. This creates a bottleneck at the end of the release cycle and often leads to security issues being deferred to future releases when time constraints arise.

Requiring developers to complete security training once per year is incorrect because while security training is important, annual training alone is insufficient for integrating security into an agile process. Effective integration requires ongoing application of security practices throughout development, not just periodic training.

Implementing security controls after the application is feature-complete is incorrect because implementing security controls only after the application is feature-complete represents a traditional waterfall approach that contradicts agile principles. This approach often leads to significant rework or security compromises when security requirements conflict with established functionality.