Which term identifies applications needing patches or updates?

The thing this question is testing is how weaknesses in software are discovered so they can be fixed. A vulnerability assessment is the activity that scans systems, software, and configurations to identify security weaknesses, including missing patches and outdated versions. It effectively creates a list of which applications are vulnerable and need updates, often with risk context to help prioritize remediation. Patch management, while closely related, is about the ongoing process of applying patches and tracking their deployment; it uses the results from vulnerability assessments but isn’t by itself the step that identifies what needs patching. Risk analysis focuses on evaluating potential impact and likelihood of threats, not specifically on listing which apps require patches. Software inventory catalogs installed software, which helps in knowing what exists, but it doesn’t determine patch needs without the vulnerability context. So, identifying applications needing patches or updates is best described by vulnerability assessment.