Keep the numbers meaningful in Security Reviews

I just came across this post (older) by Robert Hurlbut titled "DREAD is dead" and it reminded me of our experiences with these same ratings today.  We are in the middle of a Security Review for a client and have been working through our threat model to assess the risk associated with each item.  DREAD is a technique for assessing such risk using the factors: Damage potential, Reproducibility, Exploitability, Affected users and Discoverability.  As Robert mentions, the idea is to rate the threat on each of these factors using a scale from 1 to 10.  Then add up all the numbers for each threat (average it if you wish) and you can list the threats in DREAD priority.

The obvious problem ... what is the real difference between a 7 or a 8?  That is a tough call especially when you have 50 or more threats to evaluate (consistency in your evaluation gets challenging across that many items!).  We decided to settle on a simple system of low (1), medium (2) or high (3).  We also simplified our analysis to just include the traditional Criticality/Severity and Likelihood of Occurrence - interestingly this is very similar to the Microsoft Solutions Framework (MSF) approach to categorizing and managing risk on a software development project.

Why all this effort to rate the risk?  Most projects (yes, even Security Reviews!) have limited budget.  This makes it important to use your resources on the most risky areas of your system.  This becomes even more necessary when you have to trade off against items you will never have time to investigate.

Our risk analysis yielded a nice list of threats in the 4-6 point category which we can now investigate starting with the most risky threats.

(Ps.  The authors in Writing Secure Code, 2nd Edition, mention always giving a 10 for Discoverability as things will always be discovered at some point ... this again shows how DREAD is too detailed and is not a meaningful measurement)

Jonathan Cogley is the CEO and founder of thycotic, a .NET consulting company and ISV in Washington DC.  thycotic has just released Thycotic Secret Server which is a secure web-based solution to both "Where is my Hotmail password?" and "Who has the password for our domain name?".  Secret Server is the leader in secret management and sharing within companies and teams.

1 Comment

  • Thanks for the intresting pratical follow-up, Jonathan.

    What I found interesting is one of the reasons you can/need to simplify how you view threats is because ultimately you have to sell this to a business/stake owner. Security is important at every level, but it is most important that a business understand how security (or lack thereof) impacts a business' bottom line.

Comments have been disabled for this content.