Web Application Threat Modeling with OWASP, DREAD

10/26/2020

Threat modeling: the sooner the better, but never too late.

Most bugs are put into production through Development. OWASP recommends to bring Security and Development teams together to collaborate on a shared understanding to identify threats, compliance requirements, and evaluate risk to build required controls.

Threat Modeling Considerations

1. What are we building?
   • Architecture diagrams
     • Do we need it?
   • Dataflow transitions
   • Data classifications
2. What can go wrong?
   • STRIDE
   • Kill Chains
   • CAPEC
3. What are we going to do about that?
   • Contextualise the risk
   • Weight risk vs value
   • Agreement & Tagging
   • Fix Implementation
4. Did we do a good enough job?
   • Retrospective
     • Check quality, feasibility, progress
     • Test Test Test

DREAD

DREAD is an acronym for risk assessment. It was created at Microsoft and is a standard for OpenStack.

DREAD scores five categories, which are summed and divided by five, the result is a score from 0-10

• 0 indicates no impact
• 10 is the worst possible outcome

The categories are:

• Damage – how bad would an attack be?
• Reproducibility – how easy is it to reproduce the attack?
• Exploitability – how much work is it to launch the attack?
• Affected users – how many people will be impacted?
• Discoverability – how easy is it to discover the threat?