November 15, 2005

Secure Software Programming: DREAD is Dead.

So yesterday at the Westcoast Security Forum I sat in on Dan Seller's latest threat modeling presentation by Microsoft. It has been interesting seeing the evolution of the process over time:

  • In Michael Howard's first edition of Writing Secure Code (semi review back in 2002 here), when introducing threat modeling DREAD analysis wasn't considered
  • In Michael Howard's second edition of Wiriting Secure Code, DREAD analysis was the defacto standard method of performing the analysis. I wasn't a fan of this, as I prefer using the standard infosec risk formula of:

    risk = Probability(chance) * Damage Potential (damage)

  • In Frank Swiderski's Threat Modeling book (my review here) Microsoft went one step further and got deeper into DREAD. I started looking towards dread, screaming and kicking all the way.

Now.... DREAD is dead according to Dan. As I expected, DREAD was too subjective to be useful at Microsoft. Security minded individuals would rank everything extremely high... making most threats seem to be a 10. Most developers not focused on security would give threats low ratings... showing it to be a 0 or 1. Such polarity didn't make much sense, and they decided to drop DREAD.

So what are they now using instead? They are using the Microsoft Security Response Center Security Bulletin Severity Rating System . Instead of having a rating system between 0 and 10 where most stuff is ranked as either a 1 or a 10 anyways, it is now broken down into 1 of 4 categories:

  1. Critical: A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
  2. Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
  3. Moderate: Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
  4. Low: A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

This seems logical if you consider the progression of Microsoft as it relates to security updates. Prioritizing threats in this manner gets to the heart of what HAS to get done first. It matches well with the Security Response Center. And overall, its much less subjective. Tie this to the fact you can match up STRIDE analysis against this rating system, and you find this may indeed work better than DREAD.

DREAD is dead.

P.S. In the next day or so I hope to be able to post a few more items of interest that I learned from Dan, including a copy of his slidedeck. There are some changes to the DFD process now to consider, and I would like to ensure you guys get your hands on a copy of the slidedeck when he returns to Microsoft. I'll keep you posted.

Posted by SilverStr at November 15, 2005 09:19 AM | TrackBack
Comments

The slide deck is probably very similar to what I presented on Threat Modeling recently, as I borrowed some slides and ideas from the talk Michael Howard gave at PDC 2005. In that talk, he mentioned that DREAD was really too subjective (causing hours of arguments at times) and presented the same simple formula you mention here (and I included in my slide deck as well).

Posted by: Robert Hurlbut at November 15, 2005 01:26 PM

Granted DREAD was always kinda hard to work with, especially when clients had a mix of internal and external applications.

The problem i still see is trying to convice a senior manager that a particular risk is a high. They want to know the usual answers:

- Whats the threat rating?
- how easy is it to exploit?
- How long do we need to spend on getting it fixed.

and in most cases us security consultants cant just go "its a high, get it fixed"

So where do we go from here?

Posted by: Daniel Cuthbert at November 19, 2005 10:48 AM