A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from recurring and wants to shift left. Which of the following are the best options to help identify flaws within the system? (Select two)

Deploying a Web Application Firewall (WAF) is a reactive measure that can help protect against known security threats by filtering and monitoring HTTP traffic to and from a web application. However, it may not be the best option for identifying underlying design flaws within the system as it focuses more on filtering malicious traffic rather than detecting vulnerabilities.

Performing a forensic analysis is typically done after a security incident to understand what happened and to gather evidence for potential legal actions. While this can be valuable for understanding past compromises, it is not a proactive method for identifying design flaws before they are exploited.

Tabletop exercises are simulations of potential cybersecurity incidents designed to test an organization's response procedures. While valuable for testing incident response plans, they are not directly related to identifying design flaws within the system.

Creating a bug bounty program incentivizes external researchers to report vulnerabilities in the application in exchange for rewards. While this can help in identifying security issues, it may not specifically target design flaws within the system.