Home > Security, Software Development > Keep the numbers meaningful in Security Reviews

Keep the numbers meaningful in Security Reviews

I just came across this
post
(older) by Robert
Hurlbut
titled “DREAD is dead” and it reminded me of our experiences with
these same ratings today. We are in the middle of a Security Review for a
client and have been working through our threat model to assess the risk
associated with each item. DREAD is a technique for assessing such risk
using the factors:
Damage potential, Reproducibility,
Exploitability, Affected users and
Discoverability. As Robert mentions, the idea is to rate
the threat on each of these factors using a scale from 1 to 10. Then add
up all the numbers for each threat (average it if you wish) and youcan
list the threats in DREAD priority.

The obvious problem … what is the real difference
between a 7or a 8? That is a tough call especially when you have 50
or more threats to evaluate (consistency in your evaluation gets challenging
across that many items!). We decided to settle on a simple system of low
(1), medium (2)or high (3). We also simplified our analysis to just
include the traditional Criticality/Severity and Likelihood of Occurrence –
interestingly this is very similar to the Microsoft Solutions Framework (MSF)
approach to categorizing and managing risk on a software development
project.

Why all this effort to rate the risk? Most
projects (yes, even Security Reviews!) have limited budget.
Thismakes it important to use your resources on the most risky areas of
your system. This becomes even more necessary when you have to trade off
against items you will never have time to investigate.

Our risk analysis yielded a nicelist of
threats in the 4-6 point category which we can now investigate starting with the
most risky threats.

(Ps. The authors in Writing Secure
Code
, 2nd Edition, mention always giving a 10 for Discoverability as things
will always be discovered at some point … this again shows how DREAD is too
detailed and is not ameaningful measurement)

Jonathan Cogley isthe CEO and founder of
thycotic, a .NET consulting company and ISV in Washington DC. thycotic has
just released
Thycotic Secret Server which is a secure web-based solution to both “Where is my Hotmail
password?” and “Who has the password for our domain name?”. Secret Server
isthe leader in secret management and sharing within companies and
teams.

  1. Robert Hurlbut
    December 15, 2005 at 1:50 pm

    Thanks for the intresting pratical follow-up, Jonathan.

    What I found interesting is one of the reasons you can/need to simplify how you view threats is because ultimately you have to sell this to a business/stake owner. Security is important at every level, but it is most important that a business understand how security (or lack thereof) impacts a business’ bottom line.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: