Fast Abstract: Software Selection Based on Quantitative Security Risk Assessment

Multiple software products often exist on the same server and, thus, vulnerability in one product might compromise the entire environment. Therefore security risk assessments of the candidate software products, which are evaluated to be part of a larger system, are important. Having a quantitative security risk assessment model provides an objective criterion for such assessments as well as comparison between candidate software products. In this paper, we present our preliminary exploration of a software product evaluation method using such a quantitative security risk assessment model. Our goal is to utilize prior research in quantitative security risk assessment, which is based on empirical data from the National Vulnerability Database (NVD), and compare the security risk levels of the products evaluated. We are evaluating the application of topic modeling to build a security risk assessment model. Such a procedure could help decision makers evaluate and compare open-source software (OSS) products to ensure that they are safe and secure enough to be put into their environment.