The ATM document is not a replacement for risk assessment, but it is a guide for you to get only the high-level application security risks.
Always ask the following questions to get a quick risk level of the application as a whole:
- Does the application handle any confidential data? Y/N
- Does the application write data to the backend? Y/N
- Any impact on the company's public image? Y/N
- Any impact on the company's clients? Y/N
- Is the application accessible from the internet? Y/N
- Is the application accessible from mobile devices? Y/N
- Does the application interact with third-party services? Y/N
- Is the application developed by a third-party? Y/N
Wait, there is more—this is just an overall questionnaire that can give you a head start. Next, you need to classify the attacker's goals using the STRIDE methodology, which stands for:
- Spoofing: When a hacker steals the credentials/session of the victim
- Tampering: The threat is accomplished by manipulating data at rest and in transit
- Repudiation: This happens when we cannot trace who did what
- Information Disclosure: This threat reveals confidential information to a hacker without being authorized to do it
- Denial of Service: Threat targeting the systems and making them unusable by clients
- Elevation of Privilege: Threat aimed to gain administrator privileges on the remote system
Then, we take each security threat and give it a risk rank point using the DREAD methodology.
Here's a simple explanation of the DREAD ranking:
- Damage (impact?)
- Reproducibility (how easy it is?)
- Exploitability (time and effort?)
- Affected Users (how many users, including clients and employees?)
- Discoverability (easy to discover?)
To calculate it, you need to give a rank number for each from 1 to 10, where 1 is low and 10 is high. After that, you add all the scores together and divide them by five and you will get the average result. Don't worry, you will see a practical example soon; for the time being, try to get the big picture.
The way to get a score/rating using DREAD is easy; the following table tells the story:
|
Name |
High (8-10) |
Medium (4-7) |
Low (1-3) |
|
|
D |
Damage |
The attacker can subvert the security system; upload contents; get a remote shell; run as administrator. |
Leaking some confidential information. |
Leaking non-confidential Information. |
|
R |
Reproducibility |
It can be reproduced in a short period of time. |
It can be reproduced in certain situations. |
It's very hard to reproduce the attack. |
|
E |
Exploitability |
A script kiddie can exploit the vulnerability. |
It takes some skills to exploit the vulnerability. |
It takes someone with highly advanced skills to exploit the vulnerability. |
|
A |
Affected Users |
More than 1,000 customers affected. |
Between 100 and 1,000 customers affected. |
Less than 100 customers affected. |
|
D |
Discoverability |
Can be easily discovered using trivial tools. |
Discovering the vulnerability will take some skills. |
Discovering the vulnerability is highly difficult. |
Some people like to use the Information Security formula to calculate the security risk: