Title:Elevating Software Trust: Unveiling and Quantifying the Risk Landscape

Abstract:Considering the ever-evolving threat landscape and rapid changes in software development, we propose a risk assessment framework SRiQT (Software Risk Quantification through Trust). This framework is based on the necessity of a dynamic, data-driven, and adaptable process to quantify risk in the software supply chain. Usually, when formulating such frameworks, static pre-defined weights are assigned to reflect the impact of each contributing parameter while aggregating these individual parameters to compute resulting risk scores. This leads to inflexibility, a lack of adaptability, and reduced accuracy, making them unsuitable for the changing nature of the digital world. We adopt a novel perspective by examining risk through the lens of trust and incorporating the human aspect. Moreover, we quantify risk associated with individual software by assessing and formulating risk elements quantitatively and exploring dynamic data-driven weight assignment. This enhances the sensitivity of the framework to cater to the evolving risk factors associated with software development and the different actors involved in the entire process. The devised framework is tested through a dataset containing 9000 samples, comprehensive scenarios, assessments, and expert opinions. Furthermore, a comparison between scores computed by the OpenSSF scorecard, OWASP risk calculator, and the proposed SRiQT framework has also been presented. The results suggest that SRiQT mitigates subjectivity and yields dynamic data-driven weights as well as risk scores.