Elevating Software Trust: Unveiling and Quantifying the Risk Landscape

TL;DR

This paper introduces SAFER, a dynamic, data-driven risk assessment framework for software security that incorporates trust and human factors, improving adaptability and accuracy over static models.

Contribution

The paper presents a novel risk assessment framework that dynamically assigns data-driven weights and integrates trust and human aspects for better security risk quantification.

Findings

SAFER reduces subjectivity in risk scoring.

It outperforms static models in adaptability.

Demonstrated on 9000 samples with comparative analysis.

Abstract

Considering the ever-evolving threat landscape and rapid changes in software development, we propose a risk assessment framework called SAFER (Software Analysis Framework for Evaluating Risk). This framework is based on the necessity of a dynamic, data-driven, and adaptable process to quantify security risk in the software supply chain. Usually, when formulating such frameworks, static pre-defined weights are assigned to reflect the impact of each contributing parameter while aggregating these individual parameters to compute resulting security risk scores. This leads to inflexibility, a lack of adaptability, and reduced accuracy, making them unsuitable for the changing nature of the digital world. We adopt a novel perspective by examining security risk through the lens of trust and incorporating the human aspect. Moreover, we quantify security risk associated with individual software by assessing and formulating risk elements quantitatively and exploring dynamic data-driven weight assignment. This enhances the sensitivity of the framework to cater to the evolving security risk factors associated with software development and the different actors involved in the entire process. The devised framework is tested through a dataset containing 9000 samples, comprehensive scenarios, assessments, and expert opinions. Furthermore, a comparison between scores computed by the OpenSSF scorecard, OWASP risk calculator, and the proposed SAFER framework has also been presented. The results suggest that SAFER mitigates subjectivity and yields dynamic data-driven weights as well as security risk scores.