Explanation: Use cases for the device are specified and software components required by each use case are identified. Software not required by any use case is considered for removal from the system to eliminate the possibility of attacks exploiting software unneeded for system function.
Vulnerabilities addressed: Addresses software vulnerabilities located in unused components.
Developer resources required: Requires identification of a comprehensive set of use cases (sometimes difficult in practice) and ability to track each use case back to software required for it.
Evaluator resources required: Requires manual review of software components present against the specified use cases.