Mitigation is a specific task or step to reduce the likelihood or impact of a threat.
Three main ways are:
- Accept Risk: low rating or too expensive (more than dealing with the threat itself)
- Policies/Contracts: written rules with consequences (for example an API with an SLA)
-
Security Controls (the preferred way to mitigate risks as they reduce the likelihood of being exploited): code written to reduce risk of exploitation ; safety net for developers. Good security controls can be used across different applications to make security functionality easier to implement. They must be:
- Vetted: approved by security team
- Requirement: required use across organization; reusable