How to audit unmitigated threats

Question

What if I don’t have a mitigation for issues for the indicated model elements but I agree that it is a valid issue?

Answer

The following can be done for example in the Microsoft Threat Modeling Tool for circumstances where a valid issue has been identified, but it has not been mitigated:

In the Threat Properties window, for the Status pulldown, select “Needs Investigation”
In the Threat Properties window, for the Justification, write “This threat is valid but has not been mitigated. The current design is described in [document name] [document section].”

References

none