SQUARE

Network Analysis Network Situational Awareness
Engineering Solutions Cyber Security Engineering Software Assurance Curriculum Security Quality Requirements Engineering (SQUARE)

Publications Catalog Historical Documents CMU Heinz College CMU School of Computer Science

SQUARE

Requirements Engineering for Improved System Security and Privacy

Requirements problems are the primary reason that projects have these problems:

are significantly over budget and past schedule
have significantly reduced scope
deliver poor-quality applications, are little used once delivered, or are cancelled altogether

In particular, system quality requirements like security and privacy are often poorly expressed and little analyzed, leading to incomplete system designs and implementation.

Requirements engineering defects cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. A study found returns on investment of 12 to 21 percent when security analysis and secure engineering practices are introduced early in the development cycle. Further, it is very difficult and expensive to significantly improve the security of an application after it is fielded in its operational environment. Read more beginning on page 45 of the 2010 CERT Research Report (pdf).

Security Quality Requirements Engineering (SQUARE) is a nine-step process originally developed to help organizations build security into the early stages of the production life cycle. Since the initial SQUARE development, the process has been extended to include privacy considerations. The process involves identifying and assessing processes and techniques to improve requirements identification, analysis, specification, and management. It also focuses on management issues associated with the development of good security and privacy requirements. Using SQUARE can enable your organization to develop more secure, survivable software and systems, more predictable schedules and costs, and achieve lower costs.

An enhanced robust tool to help you easily use the SQUARE process for security, privacy, or both is now available as a free downloadable application.

Organizations that are acquiring software have the same security concerns as organizations that are developing software, but they usually have less control over the actual development process. Learn more about adapting the SQUARE method for acquisition.

Resources

General Information

Education and Training

Publications

more related publications...

Last updated January 9, 2012