OOPN-SRAM: A Novel Method for Software Risk Assessment

This paper proposes a Software Risk Assessment Method based on Object-Oriented Petri Net (OOPN-SRAM), in which risk assessment procedure is divided into four steps, expressed as four corresponding objects, including asset recognition, weakness analysis, consequence property confirmation and risk calculation. Each object is modeled with Petri net. Specialists recognize software assets by the 1-9 scales method of Analytic Hierarchy Process (AHP). The weaknesses in a system are found by the vulnerability scanner. The damage degree and the exploitation likelihood of a weakness are evaluated by such authorities as Common Weakness Enumeration (CWE). The consequence properties are confirmed by specialists according to the software requirements. Finally, in the risk calculation, risk degree and overall risk value are calculated by using exponential method and weighted average method respectively. Furthermore, we illustrate the application of our OOPN-SRAM method with realistic examples including web-banking and forum, and make a comparison with traditional methods. The results show that OOPN-SRAM not only increases the efficiency of the evaluation process, but also makes the evaluation result more objective and accurate.