Which of the following is described as an acceptable approach to protect public-facing web applications against known attacks?

When protecting public-facing web applications, you want a layered approach that covers both detection of weaknesses and blocking of attacks. Regular external vulnerability scans identify weaknesses in the application and its environment so you can fix them. A web application firewall sits in front of the apps and blocks known attack patterns in real time, preventing exploits from reaching the application. PCI DSS supports using a WAF as a protective measure for public-facing apps and requires annual vulnerability scanning by an Approved Scanning Vendor. So combining both—annual vulnerability assessments and front-end protection like a WAF—provides the most comprehensive defense against known attacks. Relying on only one of these leaves gaps: scanning alone doesn’t stop exploits in real time, and a WAF alone may not address underlying vulnerabilities.