I'm really not talking about defense in depth. There are vulnerabilities that are not relevant to any layer of defense, such as the hypothetical grep vulnerability I talked about earlier.
Taking a risk-based approach doesn't get you to skip out on thinking about any category of vulnerabilities, at any layer of defense.
Taking a risk-based approach doesn't get you to skip out on thinking about any category of vulnerabilities, at any layer of defense.