Threat Classification
STRIDE
...
You can use a simple High, Medium, or Low scale to prioritize threats. If a threat is rated as High, it poses a significant risk to your application and needs to be addressed as soon as possible. Medium threats need to be addressed, but with less urgency. You may decide to ignore low threats depending upon how much effort and cost is required to address the threat.
DREAD (OWASP version)
| Rating | High (10) | ... (9) | Medium (5) | Low (0) | |
|---|---|---|---|---|---|
| D | Damage potential | Complete system or data destruction | Individual user data is compromised or affected. | Nothing | |
| R | Reproducibility | Just a web browser and the address bar is sufficient, without authentication. | One or two steps required, may need to be an authorized user. | Very hard or impossible, even for administrators of the application. | |
| E | Exploitability | Just a web browser | Malware exists on the Internet, or an exploit is easily performed, using available attack tools. | Advanced programming and networking knowledge, with custom or advanced attack tools. | |
| A | Affected users | All users | Some users, but not all | None | |
| D | Discoverability | The information is visible in the web browser address bar or in a form. | Details of faults like this are already in the public domain and can be easily discovered using a search engine. | Can figure it out by guessing or by monitoring network traces. | Very hard to impossible; requires source code or administrative access. |
Table 3.7 shows an example DREAD rating for both threats:
Table 3.7 DREAD rating
| Threat | D | R | E | A | D | Total | Rating |
|---|---|---|---|---|---|---|---|
| Attacker obtains authentication credentials by monitoring the network. | 10 | 10 | 5 | 5 | 5 | (10+10+5+5+5)/5 = 7 | High |
| SQL commands injected into application. | 10 | 10 | 10 | 10 | 5 | (10+10+10+10+5)/5 = 9 | High |
DREAD (Microsoft version)
The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:
...
| Rating | High (3) | Medium (2) | Low (1) | |
|---|---|---|---|---|
| D | Damage potential | The attacker can subvert the security system; get full trust authorization; run as administrator; upload content. | Leaking sensitive information | Leaking trivial information |
| R | Reproducibility | The attack can be reproduced every time and does not require a timing window. | The attack can be reproduced, but only with a timing window and a particular race situation. | The attack is very difficult to reproduce, even with knowledge of the security hole. |
| E | Exploitability | A novice programmer could make the attack in a short time. | A skilled programmer could make the attack, then repeat the steps. | The attack requires an extremely skilled person and in-depth knowledge every time to exploit. |
| A | Affected users | All users, default configuration, key customers | Some users, non-default configuration | Very small percentage of users, obscure feature; affects anonymous users |
| D | Discoverability | Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable. | The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use. | The bug is obscure, and it is unlikely that users will work out damage potential. |
After you ask the above questions, count the values (13) for a given threat. The result can fall in the range of 515. Then you can treat threats with overall ratings of 1215 as High risk, 811 as Medium risk, and 57 as Low risk.
For example, consider the two threats described earlier:
...