Despite the acknowledged importance of quantitative security assessment in secure software development, current literature still lacks an efficient model for measuring internal software security risk. To this end, in this paper, we introduce a hierarchical security assessment model (SAM), able to assess the internal security level of software products based on low-level indicators, i.e., security-relevant static analysis alerts and software metrics. The model, following the guidelines of ISO/IEC 25010, and based on a set of thresholds and weights, systematically aggregates these low-level indicators in order to produce a high-level security score that reflects the internal security level of the analyzed software. The proposed model is practical, since it is fully automated and operationalized in the form of a standalone tool and as part of a broader Computer-Aided Software Engineering (CASE) platform. In order to enhance its reliability, the thresholds of the model were calibrated based on a repository of 100 popular software applications retrieved from Maven Repository. Furthermore, its weights were elicited in a way to chiefly reflect the knowledge expressed by the Common Weakness Enumeration (CWE), through a novel weights elicitation approach grounded on popular decision-making techniques. The proposed model was evaluated on a large repository of 150 open-source software applications retrieved from GitHub and 1200 classes retrieved from the OWASP Benchmark. The results of the experiments revealed the capacity of the proposed model to reliably assess internal security at both product level and class level of granularity, with sufficient discretion power. They also provide preliminary evidence for the ability of the model to be used as the basis for vulnerability prediction. To the best of our knowledge, this is the first fully automated, operationalized and sufficiently evaluated security assessment model in the modern literature.

尽管公认的定量安全评估在安全软件开发中非常重要，但目前的文献仍然缺乏衡量内部软件安全风险的有效模型。为此，在本文中，我们引入了一种分层安全评估模型（SAM），该模型能够基于低级指标（即与安全相关的静态分析警报和软件指标）来评估软件产品的内部安全级别。该模型遵循ISO / IEC 25010的准则，并基于一组阈值和权重，系统地汇总这些低级别指标，以产生反映所分析软件的内部安全级别的高级别安全评分。提出的模型很实用，因为它是完全自动化的，并且可以以独立工具的形式进行操作，并且可以作为更广泛的计算机辅助软件工程（CASE）平台的一部分进行操作。为了提高其可靠性，基于从Maven存储库中检索到的100个流行软件应用程序的存储库中对模型的阈值进行了校准。此外，通过基于流行决策技术的新颖权重启发方法，以主要反映普通弱点枚举（CWE）表示的知识的方式来产生权重。在从GitHub检索的150个开源软件应用程序和从OWASP Benchmark检索的1200个类的大型存储库上评估了提出的模型。实验结果表明，该模型具有足够的酌处权，可以在产品级别和类级别的粒度上可靠地评估内部安全性。他们还提供了将模型用作漏洞预测基础的能力的初步证据。据我们所知，这是现代文献中第一个完全自动化，可操作且经过充分评估的安全评估模型。