The DREAD Risk Assessment Model
Details
DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations, it was abandoned by its creators.It provides a mnemonic for risk rating security threats using five categories.
DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome:
Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
Describing Vulnerability Scores
We expect the impact of a vulnerability to be described in the following way:
Potential for: Tampering, Escalation | ||||
---|---|---|---|---|
Category | Score | Rationale | ||
Damage | 6 | Significant Disruption | ||
Reproducability | 8 | Code path is easily understood, condition exists as standard | ||
Exploitability | 2 | Very hard to exploit without specific conditions | ||
Affected Users | 8 | All cloud compute users | ||
Discoverability | 10 | Discoverability always assumed to be 10 | ||
DREAD SCORE: 31/5 = 6.2 - Important, fix as a priority |
Score Categories / Recommendations
The seemingly natural next step here would be to catagorize vulnerabilities based on the DREAD score, perhaps 0-3 would be "Trivial, fix in next release" whereas 8-10 may be "Critical, fix immediately". It's not 100% clear that catagorizing in this way should be the responsibility of the VMT. By producing a DREAD score the VMT has told deployers what the vulnerability is likely to affect and how severely it will do so as well as providing a mechanism to compare one vulnerability against another.
These scores will also provide value for security analysis over time, better catagorization of vulnerabilities (through STRIDE) and scoring of impact (through DREAD) will allow the community to view which particular areas of design and implementation seem to be the worst from a security standpoint.
Getting Started
Click "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.More Information
Jurisdiction | All |
---|---|
Type | Project |