CERT-SEI

SQUARE

Requirements problems are the primary reason that projects

  • are significantly over budget and past schedule
  • have significantly reduced scope
  • deliver poor-quality applications that are little used once delivered, or are cancelled altogether

One source of these problems is poorly expressed or analyzed quality requirements, such as security and privacy. Requirements engineering defects cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. Moreover, it is difficult and expensive to significantly improve the security of an application after it is in its operational environment. Read more beginning on page 45 of the 2010 CERT Research Report.

Security Quality Requirements Engineering (SQUARE) is a nine-step process that helps organizations build security, including privacy, into the early stages of the production lifecycle. Instructional materials are available for download that can be used to teach the SQUARE method.

The Original SQUARE Method

Using SQUARE can enable your organization to develop more secure, survivable software and systems, more predictable schedules and costs, and achieve lower costs. An enhanced robust tool, called SQUARE for Privacy, or P-SQUARE, is available for free to help you use the SQUARE process for security, privacy, or both.

The SQUARE Method for Acquisition

Organizations that are acquiring software have the same security concerns as organizations that are developing software, but they usually have less control over the actual development process. Depending on the situation, the acquisition stakeholders may be heavily involved in security requirements engineering, or they may be limited to reviewing requirements developed by the supplier. The SQUARE process for security requirements engineering can be readily adapted for different acquisition situations.

The SQUARE Method can adapt to these situations:

  • Your acquisition organization has the typical client role for newly developed software.
  • Your acquisition organization specifies the requirements as part of the RFP for newly developed software.
  • Your organization is acquiring COTS software.

A tool, called SQUARE for Acquisition, or A-SQUARE, is available for free to help stakeholders, requirements engineers, and contractors/vendors, for a variety of acquisition cases.

Attend a SQUARE Workshop

The SEI offers a one- or two-day workshop that can be given at your organization's site or at the SEI Pittsburgh location. This workshop covers the SQUARE method and provides your team with everything you need to know to start using it. Workshops are by request only.

Read more about our workshops

Additional Materials

Consult these materials about SQUARE for more information.