How to audit unmitigated threats
Question
What if I don’t have a mitigation for issues for the indicated model elements but I agree that it is a valid issue?
Answer
The following can be done for example in the Microsoft Threat Modeling Tool for circumstances where a valid issue has been identified, but it has not been mitigated:
- In the Threat Properties window, for the Status pulldown, select “Needs Investigation”
- In the Threat Properties window, for the Justification, write “This threat is valid but has not been mitigated. The current design is described in [document name] [document section].”
References
none