Introduction
The threat-modeling framework helps you generate a list of threats and ways to reduce risk, but it doesn't prioritize them for you.
It also doesn't recommend layered security controls based on their type and function, which makes it harder to decide which controls to implement.
Prioritizing issues
Deciding the priority of issues is an important piece of threat modeling. It helps you to distribute your limited resources to the most critical issues.
Examples include:
- Having to choose between implementing a feature to log all administrative actions or using SSL/TLS to encrypt traffic.
- Deciding whether to implement access-control lists or strengthen the input validation process for your system first.
When to prioritize
Assign a priority to each issue according to its risk factor. Also, select security controls that work with others to help provide a layered security-protection mechanism for your system.
This process can take some time. It also requires assistance from your colleagues and security team. Save enough time to work with them.
Learning objectives
By the end of this module, you're able to:
- Assign priorities to issues.
- Categorize security controls.
- Understand each security control type and function.
Prerequisites
- None