Assessing a third party’s risk by counting bugs in the code may not be the best measure of an attack surface within the supply chain. Which of the following is LEAST associated with the attack surface?

A. Input protocols
B. Target processes
C. Error messages
D. Access rights