Threat Mitigation

Mitigation is a specific task or step to reduce the likelihood or impact of a threat.

Three main ways are:

  • Accept Risk: low rating or too expensive (more than dealing with the threat itself)
  • Policies/Contracts: written rules with consequences (for example an API with an SLA)
  • Security Controls (the preferred way to mitigate risks as they reduce the likelihood of being exploited): code written to reduce risk of exploitation ; safety net for developers. Good security controls can be used across different applications to make security functionality easier to implement. They must be:
    • Vetted: approved by security team
    • Requirement: required use across organization; reusable