Web application security - the fast guide 1.1 | Page 54
Chapter 3 - Vulnerabilities and threat models
P a g e | 54
Discoverability: factor related to ease of threat discovery
Level Very hard requires
Admin access Guessing or
monitoring network
Value 0 5
Can be easily
discovered
(search engine) ,
available publicly
9
Visible directly
(through
address bar as
example)
10
The final DREAD risk can be calculated as average of the five categories.
Risk = (DAMAGE + REPRODUCIBILITY +EXPLOITABILITY + AFFECTED
USERS+DISCOVERABILITY) / 5
3.7 Threats and vulnerabilities models - CVSS
CVSS: stands for common vulnerability scoring system mainly focusing on
standardized the vulnerability scoring and prioritizing risk.
Scoring using CVSS is based on 3 main metric groups:
Base: characteristics of vulnerabilities that are constant over time and
environments.
Temporal: vulnerability characteristics that change over time but not with
environment.
Environmental: characteristics that are related to specific environments.
NIST Interagency Report 7435 – Metric groups
The calculation of base score is done as follow
BaseScore = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise
AccessVector = case AccessVector of requires
local access: 0.395
adjacent network accessible: 0.646
network accessible: 1.0