Kizspy | Question: 36
(Choose 1 answer)
Since there is an infinity of possible vulnerabilities, but a finite number of threat types, the following can be stated:
A. Security engineering is therefore not possible in practice.
B. Penetration testing must focus on threats, not vulnerabilities.
C. We can issue threat advisories publicly, but not vulnerability advisories.
D. Threat-asset matrices can be constructed, but not vulnerability-asset matrices.
E. The cross product of vulnerabilities and threats must be mapped to assets.
