What is DREAD Threat Modeling Aproach

Transcript

1. What is DREAD Threat Modeling Approach? practical-devsecops.com | #CertifiedThreatModelingProfessional Decoding

   DREAD: Elevate Your Security Game Today!"

2. practical-devsecops.com | #CertifiedThreatModelingProfessional DREAD threat modeling is an approach used

   to prioritize threats based on their likelihood and impact. The approach is represented by an acronym “DREAD” which stands for: Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. Each of these factors is ranked on a scale of 0-10, and the sum of these values helps to determine the overall risk. Higher values indicate greater risk, requiring immediate mitigation strategies.

3. Indicates no damage caused to the organization Information disclosure said

   to have occurred Non-sensitive user data has been compromised Non-sensitive administrative data has been compromised The entire information system has been destroyed. All data and applications are inaccessible 0 5 8 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Damage potential is the amount of damage that a threat actor can cause, and is measured on the following scale: Damage potential

4. Difficult to replicate the attack Complex to replicate the attack

   Easy to replicate the attack Very easy to replicate the attack 0 5 0.75 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Reproducibility indicates if it’s simple to replicate an attack. These are again plotted on a scale of 0 – 10. Reproducibility

5. Indicates that advanced programming and networking skills needed to exploit

   the vulnerability Available attack tools needed to exploit the vulnerability Web application proxies are needed to exploit the vulnerability Indicates the requirement of a web browser needed to exploit the vulnerability 2.5 5 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Different organizational vulnerabilities can be exploited by using different tools and skills, as indicated by their ratings. They are rated as follows: Exploitability

6. No users affected Indicates chances of fewer individual users affected

   Few users affected Administrative users affected 0 1.5 6 8 practical-devsecops.com | #CertifiedThreatModelingProfessional Calculate the number of users who will be affected by an attack to determine the potential impact of the attack. This is again rated on a scale of 1 – 10. Affected Users All users affected 10

7. Indicates that advanced programming and networking skills needed to exploit

   the vulnerability Available attack tools needed to exploit the vulnerability Web application proxies are needed to exploit the vulnerability Indicates the requirement of a web browser needed to exploit the vulnerability 2.5 5 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Different organizational vulnerabilities can be exploited by using different tools and skills, as indicated by their ratings. They are rated as follows: Exploitability

8. Indicates it’s hard to discover the vulnerability HTTP requests can

   uncover the vulnerability Vulnerability found in the public domain Vulnerability found in web address bar or form 0 5 8 10 practical-devsecops.com | #CertifiedThreatModelingProfessional On a scale of 1 – 10, this factor rates the discoverability of a vulnerability. Discoverability

9. Link in the description practical-devsecops.com | #CertifiedThreatModelingProfessional Become a Threat

   Modeling Expert with Us! Certified Threat Modeling Professional

10. Making Product Security Accessible to Everyone