DREAD Framework
DREAD is a quantitative risk assessment model designed for internal triage and prioritization. It provides a structured approach to evaluating vulnerabilities based on five key factors.DREAD Components
Damage Potential
Damage Potential
Measures the extent of harm if the vulnerability is exploited.
- 10: Complete system compromise, data destruction
- 5: Information disclosure, service degradation
- 0: Minimal impact
Reproducibility
Reproducibility
Assesses how easily the attack can be replicated.
- 10: Attack works every time, no special conditions
- 5: Attack works sometimes, requires timing or specific conditions
- 0: Nearly impossible to reproduce
Exploitability
Exploitability
Evaluates the technical skill and resources required to exploit.
- 10: No authentication needed, can be scripted
- 5: Requires authenticated access or specialized knowledge
- 0: Requires deep system knowledge and extensive resources
Affected Users
Affected Users
Determines the scope of users potentially impacted.
- 10: All users affected (default configuration)
- 5: Some users affected (specific configuration)
- 0: Very few users affected (administrative only)
Discoverability
Discoverability
Measures how easily the vulnerability can be found.
- 10: Visible in browser address bar or public
- 5: Requires network scanning or code review
- 0: Requires source code access and deep analysis
When to Use DREAD
- Internal risk assessment and triage
- Pre-patch prioritization decisions
- Custom application vulnerabilities
- Threat modeling workshops
STRIDE Framework
STRIDE is a threat modeling framework developed by Microsoft that categorizes threats into six types. Unlike DREAD, STRIDE focuses on identifying threat categories rather than scoring severity.STRIDE Threat Categories
Spoofing
Impersonating something or someone elseExamples: Credential theft, session hijacking, man-in-the-middle attacks
Tampering
Modifying data or codeExamples: SQL injection, parameter manipulation, file tampering
Repudiation
Claiming to not have performed an actionExamples: Missing audit logs, lack of transaction signing
Information Disclosure
Exposing information to unauthorized partiesExamples: Data leaks, directory traversal, insecure storage
Denial of Service
Degrading or denying service to usersExamples: Resource exhaustion, crash exploits, bandwidth flooding
Elevation of Privilege
Gaining unauthorized capabilitiesExamples: Privilege escalation, authorization bypass, remote code execution
In VulnTrack, you can tag vulnerabilities with applicable STRIDE categories to enhance threat modeling and pattern recognition across your vulnerability database.
When to Use STRIDE
- Design phase threat modeling
- Security architecture review
- Attack surface analysis
- Security requirements gathering
CVSS v3.1
The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for communicating vulnerability severity. VulnTrack supports CVSS v3.1 scoring for compliance and external reporting.CVSS Metric Groups
Base Metrics (Intrinsic characteristics)- Attack Vector (Network, Adjacent, Local, Physical)
- Attack Complexity (Low, High)
- Privileges Required (None, Low, High)
- User Interaction (None, Required)
- Scope (Unchanged, Changed)
- Confidentiality Impact (None, Low, High)
- Integrity Impact (None, Low, High)
- Availability Impact (None, Low, High)
- Exploit Code Maturity
- Remediation Level
- Report Confidence
- Modified Base Metrics
- Confidentiality/Integrity/Availability Requirements
CVSS Severity Ratings
| Score Range | Severity |
|---|---|
| 0.0 | None |
| 0.1 - 3.9 | Low |
| 4.0 - 6.9 | Medium |
| 7.0 - 8.9 | High |
| 9.0 - 10.0 | Critical |
When to Use CVSS
- Compliance reporting (PCI-DSS, HIPAA, etc.)
- Vulnerability disclosure
- Industry benchmarking
- External communication with vendors
OWASP Top 10
The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. VulnTrack includes built-in research content analyzing the OWASP Top 10 2024.OWASP Top 10 2024
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Explore VulnTrack’s built-in Research blog for in-depth analysis of each OWASP Top 10 category, including real-world examples and remediation strategies.
Mapping Vulnerabilities to OWASP Top 10
VulnTrack allows you to tag vulnerabilities with OWASP Top 10 categories to:- Track organizational exposure to common web application risks
- Generate compliance reports for security audits
- Identify patterns and training needs
- Benchmark against industry standards
Framework Comparison
| Framework | Purpose | Scoring | Best For |
|---|---|---|---|
| DREAD | Risk quantification | 0-50 (normalized) | Internal triage, custom apps |
| STRIDE | Threat categorization | Categorical | Threat modeling, design phase |
| CVSS | Standardized severity | 0-10 | Compliance, external reporting |
| OWASP Top 10 | Awareness & benchmarking | Categorical | Web app security, training |
Using Multiple Frameworks Together
VulnTrack’s unified approach allows you to leverage all frameworks simultaneously:- Import CVE with automatic CVSS scoring
- Apply DREAD scoring for internal context
- Tag STRIDE categories for threat modeling
- Map to OWASP Top 10 for compliance
- Prioritize remediation using combined insights
Additional Resources
- VulnTrack Research Blog - Deep technical guides and analysis
- NIST NVD - Official CVSS scoring database
- OWASP Foundation - Web application security resources
- Microsoft STRIDE - Threat modeling documentation