Elevating Software Trust: Unveiling and Quantifying the Risk Landscape
August 06, 2024 Β· Declared Dead Β· π arXiv.org
"No code URL or promise found in abstract"
Evidence collected by the PWNC Scanner
Authors
Sarah Ali Siddiqui, Chandra Thapa, Rayne Holland, Wei Shao, Seyit Camtepe
arXiv ID
2408.02876
Category
cs.SE: Software Engineering
Citations
2
Venue
arXiv.org
Last Checked
4 months ago
Abstract
Considering the ever-evolving threat landscape and rapid changes in software development, we propose a risk assessment framework called SAFER (Software Analysis Framework for Evaluating Risk). This framework is based on the necessity of a dynamic, data-driven, and adaptable process to quantify security risk in the software supply chain. Usually, when formulating such frameworks, static pre-defined weights are assigned to reflect the impact of each contributing parameter while aggregating these individual parameters to compute resulting security risk scores. This leads to inflexibility, a lack of adaptability, and reduced accuracy, making them unsuitable for the changing nature of the digital world. We adopt a novel perspective by examining security risk through the lens of trust and incorporating the human aspect. Moreover, we quantify security risk associated with individual software by assessing and formulating risk elements quantitatively and exploring dynamic data-driven weight assignment. This enhances the sensitivity of the framework to cater to the evolving security risk factors associated with software development and the different actors involved in the entire process. The devised framework is tested through a dataset containing 9000 samples, comprehensive scenarios, assessments, and expert opinions. Furthermore, a comparison between scores computed by the OpenSSF scorecard, OWASP risk calculator, and the proposed SAFER framework has also been presented. The results suggest that SAFER mitigates subjectivity and yields dynamic data-driven weights as well as security risk scores.
Community Contributions
Found the code? Know the venue? Think something is wrong? Let us know!
π Similar Papers
In the same crypt β Software Engineering
R.I.P.
π»
Ghosted
R.I.P.
π»
Ghosted
Microservices: yesterday, today, and tomorrow
π
π
The Cartographer
A Survey of Machine Learning for Big Code and Naturalness
R.I.P.
π»
Ghosted
An Overview on Smart Contracts: Challenges, Advances and Platforms
R.I.P.
π»
Ghosted
Slither: A Static Analysis Framework For Smart Contracts
R.I.P.
π»
Ghosted
ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection
Died the same way β π» Ghosted
R.I.P.
π»
Ghosted
Federated Learning: Strategies for Improving Communication Efficiency
R.I.P.
π»
Ghosted
In-Datacenter Performance Analysis of a Tensor Processing Unit
R.I.P.
π»
Ghosted
Deep Convolutional Neural Networks for Computer-Aided Detection: CNN Architectures, Dataset Characteristics and Transfer Learning
R.I.P.
π»
Ghosted