Disclosed are various embodiments for establishing risk profiles for software packages that have an insufficient security history. A security history for a software package is received. It is determined that the security history does not meet a sufficiency threshold. One or more other software packages are identified that are similar to the software package and have a corresponding security history that meets the sufficiency threshold. A risk profile of the software package is generated based at least in part on the corresponding security history of the other software package(s).
展开▼