During this week’s class, one of the main topics we discussed was the OWASP Top 10. If you’re proposing to perform an application scan that uses the OWASP Top 10, how would you justify that rationale? Also, how would you answer if they questioned you about whether you were going to scan for CSRF vulnerabilities, which are not part of the 2017 release of the OWASP Top 10?