T04.E02. As a DoD radar program is preparing for the Preliminary Design Review (PDR), the system security engineering (SSE) team performs a vulnerability assessment of the legacy software code in the task management/ radar control interface. This is a Level 1 critical component. The system security engineer requests the contractor submit a vulnerability code analysis. The contractor analyzes 2% of the code and finds a high level of vulnerability based on 15 to 18 vulnerabilities per 10 thousand lines of code, with half the errors deemed most severe. Based on this high level of vulnerability in the sample code that was analyzed, which of the four following are reasonable next steps? Select the 4 alternatives that apply.)

1. Determine whether there are protections that can be put around the legacy code to reduce the exposure of the vulnerabilities (cost impact L-M, risk reduction: 2)
2. Perform additional vulnerability analysis of some or all the code (cost impact: Likely (M), risk reduction: 0)
3. Remediate the portion of the legacy code with the highest level of exploitable vulnerabilities (cost impact: High likelihood (H), risk reduction; 2)
4. Establish secure shipping methods (cost impact: M, risk reduction: 1)
5. Determine if there is a subset of the legacy code with the high level of exploitable vulnerabilities (cost impact: Low Likelihood (L), risk reduction: 0)
6. Rewrite all the code (cost impact: Near Certainty, risk reduction: 2)

I believe the correct choices are: 1,3,4,and 6. Please review and advise