From the course: Static Application Security Testing

Unlock the full course today

Join today to access over 24,400 courses taught by industry experts.

Application threat modeling: DREAD

Application threat modeling: DREAD - SonarQube Tutorial

From the course: Static Application Security Testing

Application threat modeling: DREAD

- [Instructor] Similar to STRIDE, DREAD is another threat modeling approach included in the OWASP Code Review Guide. DREAD also found its origins within Microsoft although they stopped using it internally by 2008. Keep in mind though that the DREAD creators weren't pushing for an academically vetted international standard for quantifying and qualifying risks; they were just looking for a better way to manage discussions around risks and threats, and they kept DREAD deliberately simple in an effort to accomplish that goal. Since IT and security professionals love our acronyms, they developed their own five-character mnemonic to make their threat modeling approach easier to remember. The first D in DREAD represents the damage attribute. If you're familiar with the NIST risk assessment model, this DREAD attribute maps directly to impact. Its primary concern is how bad things would really be if an attacker was successful. The…

Contents