« Q&A with Wendy Nather on Today's AppSec Topics | Main | Kaspersky Labs: "Apple 10 years behind Microsoft in Security" »



Feed You can follow this conversation by subscribing to the comment feed for this post.

Jake Evans

First off, I just wanted to say that I found DREAD to be extremely useful in a web app pen test I recently performed. I'm very grateful to not have to use something like CVSS for the task of assigning risk scores to findings.

But one thing that I've wondered about DREAD is why it seems to be weighted more heavily toward "likelihood" (Reproducibility + Discoverability + Exploitability) versus "impact" (Damage + Affected Users). Since the DREAD score is a raw average of the 5 measures it appears as though "likelihood" is given more weight than "impact".

What are your thoughts on that? What was the rationale behind that decision when DREAD was being put together?

Thanks, and once again, I really like DREAD.

Jason Taylor

That's a good question. I was actually the guy who came up with DREAD (though I didn't invent the cool sounding acronym, that was the work of Loren Kohnfelder). At the time I was trying to solve a simple problem. How do I quickly and easily characterize a vulnerability so that I could argue for its inclusion, or not, in the next release or patch? I thought of all the characteristics that mattered to my triage team (Internet Explorer 4 at that time) and would impact our business and customers. I didn't try to weight them or put number values on them at that time, I just used it as a way to describe the vulnerability in short hand:
Damage - What's the worst thing that could happen
Repro - How often would it reproduce. Timing issue that happens only 10% of the time or was it a perfectly repeatable problem.
Exploitability - How hard was it to actually realize the max damage.
Affected Users - Was there a compatibility issue or some other factor that meant it would only impact a percentage of our users
Discoverability - How hard was it to find and realize an exploit

This was before we all had figured out that discoverability is not a good hedge against attackers - we hadn't figured out how persistent, devious and intelligent a good hacker can be - so it was a characteristic that made sense to me at the time but is not something I would consider much anymore. I guess it hung around because DREA doesn't sound as cool as DREAD!

Adding numerical scores is something that others added later, and is not something that I generally believe in or ever found useful - but to each their own!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)

Sign Up for Alerts

Follow Us

Our Newsletter

Subscribe to our quarterly newsletter, The Application Security Report..

Other Featured Blogs

Dinis Cruz Blog, by Dinis Cruz

WhoIsJoe, by Joe Basirico