A system for assessing software risks includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores category risk scores based on findings generated by software security analysis tools of different categories. The processor receives at least one first finding from a first category of software security analysis tools and at least one second finding from a second category of software security analysis tools. A first category risk score is computed based on the at least one first finding. A second category risk score is computed based on the at least one second finding. An overall risk score for application code is determined by computing a weighted average based on the first category risk score and the second category risk score. A graphical user interface displays the overall risk score.