What is DREAD Threat Modeling Approach? practical-devsecops.com | #CertifiedThreatModelingProfessional Decoding DREAD: Elevate Your Security Game Today!" 

practical-devsecops.com | #CertifiedThreatModelingProfessional DREAD threat modeling is an approach used to prioritize threats based on their likelihood and impact. The approach is represented by an acronym “DREAD” which stands for: Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. Each of these factors is ranked on a scale of 0-10, and the sum of these values helps to determine the overall risk. Higher values indicate greater risk, requiring immediate mitigation strategies. 

Indicates no damage caused to the organization Information disclosure said to have occurred Non-sensitive user data has been compromised Non-sensitive administrative data has been compromised The entire information system has been destroyed. All data and applications are inaccessible 0 5 8 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Damage potential is the amount of damage that a threat actor can cause, and is measured on the following scale: Damage potential 

Difficult to replicate the attack Complex to replicate the attack Easy to replicate the attack Very easy to replicate the attack 0 5 0.75 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Reproducibility indicates if it’s simple to replicate an attack. These are again plotted on a scale of 0 – 10. Reproducibility 

Indicates that advanced programming and networking skills needed to exploit the vulnerability Available attack tools needed to exploit the vulnerability Web application proxies are needed to exploit the vulnerability Indicates the requirement of a web browser needed to exploit the vulnerability 2.5 5 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Different organizational vulnerabilities can be exploited by using different tools and skills, as indicated by their ratings. They are rated as follows: Exploitability 

No users affected Indicates chances of fewer individual users affected Few users affected Administrative users affected 0 1.5 6 8 practical-devsecops.com | #CertifiedThreatModelingProfessional Calculate the number of users who will be affected by an attack to determine the potential impact of the attack. This is again rated on a scale of 1 – 10. Affected Users All users affected 10 

Indicates that advanced programming and networking skills needed to exploit the vulnerability Available attack tools needed to exploit the vulnerability Web application proxies are needed to exploit the vulnerability Indicates the requirement of a web browser needed to exploit the vulnerability 2.5 5 9 10 practical-devsecops.com | #CertifiedThreatModelingProfessional Different organizational vulnerabilities can be exploited by using different tools and skills, as indicated by their ratings. They are rated as follows: Exploitability 

Indicates it’s hard to discover the vulnerability HTTP requests can uncover the vulnerability Vulnerability found in the public domain Vulnerability found in web address bar or form 0 5 8 10 practical-devsecops.com | #CertifiedThreatModelingProfessional On a scale of 1 – 10, this factor rates the discoverability of a vulnerability. Discoverability 

Link in the description practical-devsecops.com | #CertifiedThreatModelingProfessional Become a Threat Modeling Expert with Us! Certified Threat Modeling Professional 

Making Product Security Accessible to Everyone