Prioritize security issues
Generate the list of threats with ways to reduce or eliminate risk, then work with your colleagues to assign priorities.
Choose the priority framework
The prioritization exercise should follow the internal security bug bar created by your organization.
For reference purposes, the internal bug bar used by engineers at Microsoft is similar to the following table:
Icon | Severity | Description |
---|---|---|
Critical | May cause critical impact for system users. Examples include breaches involving sensitive information disclosure and threats that require privacy and legal involvement. | |
Important | May cause serious impact for system users. Examples include rendering a system unusable with no known workarounds. | |
Moderate | May cause moderate impact for system users. Examples include availability issues with possible workarounds. | |
Low | May cause low impact for system users. | |
Information | Potential threat has been considered, evaluated, and determined not relevant. |