When integrating information security requirements into software development, which of the following practices should be FIRST in the development lifecycle?

A. Penetration testing
B. Dynamic code analysis
C. Threat modeling
D. Source code review