Which statement about security scanning should be performed throughout the development process is true?

The statement regarding the scope of an audit changing based on the cloud model used is accurate because different cloud models—such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service)—impose distinct security responsibilities and challenges. Each model has its own set of components, configurations, and compliance requirements that necessitate tailored auditing and security scanning approaches.

For instance, in an IaaS model, the customer is often responsible for securing the entire operating system and applications, while in a SaaS model, the provider retains more control over the security of the entire stack. Therefore, the scope and focus of security scans must adapt to reflect these differences, ensuring that specific vulnerabilities relevant to the cloud model in use are adequately addressed throughout the development process.

In contrast, the other options suggest a more limited or optional approach to security scanning, which does not align with best practices in software development and security. Regular security scanning is essential to identify and mitigate vulnerabilities continuously, rather than reserving it for initial stages or the final release. This ensures that security is integrated into the development lifecycle rather than treated as an afterthought, ultimately leading to a more robust and secure application.