Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?
A. Vulnerability assessment results
B. Application security policy
C. A business case
D. Internal audit reports
A. Vulnerability assessment results
B. Application security policy
C. A business case
D. Internal audit reports