A security program manager wants to actively test the security posture of a system. The system is not yet in
production and has no uptime requirement or active user base. Which of the following methods will produce a
report which shows vulnerabilities that were actually exploited?
A.
Peer review
B.
Component testing
C.
Penetration testing
D.
Vulnerability testing