you all know about DREAD for sure, a method to value risk after damage potential, reproducibility, exploitability, affected users and discoverability. Within Microsoft, there was some kind of shift, away from DREAD ratings within high number ranges towards some simpler classification with 4 different levels of risk (low, medium, high and critical).
Well, while conduction a methodology for a applicable threat modeling I stumbled across DREAD very often and I hope that someone can help me out a little bit :-)
First of all, reproducibility is not useful very often. An attack can be done over and over again (most attacks) or one time only (DROP table would not work twice on the same table). So the rating is either low or critical!? Is it because I did not create as much threat models as you guys that I did not found other reproducibility-ratings in reality!?
Second, discoverability as very vague I think. At first, it seems to be simpler to find some simple xss than a second order sql-injection. But how do I really know what the attacker knows? I tend to value most of the vulnerabilities with a very high discoverability-rating because if I can think of it, some smart attacker will too for sure.
Third, the same applies to exploitability in a way. Additionally, exploitability seems to be strong connected to discoverability!?
So my question is, do you people use DREAD as it is or do you adapt it in a way or are there other related methods that could fit into threat modeling? Thanks for any input, I'm just curious if I'm the only one who has this kind of issues...
Greetings from germany, David
TaşıyanHengzhe Li21 Haziran 2011 Salı 12:23Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)