Threat Classification
...
You can use a simple High, Medium, or Low scale to prioritize threats. If a threat is rated as High, it poses a significant risk to your application and needs to be addressed as soon as possible. Medium threats need to be addressed, but with less urgency. You may decide to ignore low threats depending upon how much effort and cost is required to address the threat.
DREAD (OWASP version)
| Rating | High (10) | Medium (5) | Low (0) | |
|---|---|---|---|---|
| D | Damage potential | Complete system or data destruction | Individual user data is compromised or affected. | Nothing |
| R | Reproducibility | Just a web browser and the address bar is sufficient, without authentication. | One or two steps required, may need to be an authorized user. | Very hard or impossible, even for administrators of the application. |
| E | Exploitability | Just a web browser | Malware exists on the Internet, or an exploit is easily performed, using available attack tools. | Advanced programming and networking knowledge, with custom or advanced attack tools. |
| A | Affected users | All users | Some users, but not all | None |
| D | Discoverability | The information is visible in the web browser address bar or in a form. | Can figure it out by guessing or by monitoring network traces. | Very hard to impossible; requires source code or administrative access. |
Table 3.7 shows an example DREAD rating for both threats:
Table 3.7 DREAD rating
| Threat | D | R | E | A | D | Total | Rating |
|---|---|---|---|---|---|---|---|
| Attacker obtains authentication credentials by monitoring the network. | 10 | 10 | 5 | 5 | 5 | (10+10+5+5+5)/5 = 7 | High |
| SQL commands injected into application. | 10 | 10 | 10 | 10 | 5 | (10+10+10+10+5)/5 = 9 | High |
DREAD (Microsoft version)
...
| Threat Description | Attacker obtains authentication credentials by monitoring the network |
|---|---|
| Threat target | Web application user authentication process |
| Risk rating | High |
| Attack techniques | Use of network monitoring software |
| Countermeasures | Use SSL to provide encrypted channel |
DREAD (OWASP version)
| Rating | High (10) | Medium (5) | Low (0) | |
|---|---|---|---|---|
| D | Damage potential | Complete system or data destruction | Individual user data is compromised or affected. | Nothing |
| R | Reproducibility | Just a web browser and the address bar is sufficient, without authentication. | One or two steps required, may need to be an authorized user. | Very hard or impossible, even for administrators of the application. |
| E | Exploitability | Just a web browser | Malware exists on the Internet, or an exploit is easily performed, using available attack tools. | Advanced programming and networking knowledge, with custom or advanced attack tools. |
| A | Affected users | All users | Some users, but not all | None |
| D | Discoverability | The information is visible in the web browser address bar or in a form. | Can figure it out by guessing or by monitoring network traces. | Very hard to impossible; requires source code or administrative access. |
Table 3.7 shows an example DREAD rating for both threats:
Table 3.7 DREAD rating