Requirements Engineering for Improved System Security and Privacy
Requirements problems are the primary reason that projects
- are significantly over budget and past schedule
- have significantly reduced scope
- deliver poor-quality applications that are little used once delivered, or are cancelled altogether
One source of these problems is poorly expressed or analyzed quality
requirements, such as security and privacy. Requirements engineering defects
cost 10 to 200 times more to correct during implementation than if they are
detected during requirements development. Moreover, it is difficult
and expensive to significantly improve the security of an application after it
is in its operational environment. Read more beginning on page 45 of
the 2010 CERT
Research Report (pdf).
Security Quality Requirements Engineering (SQUARE) is a nine-step process that helps organizations build security into the early stages of the
production life cycle. We have extended the process to consider privacy.
Using SQUARE can enable your organization to develop more
secure, survivable software and systems, more predictable schedules and costs,
and achieve lower costs.
An enhanced robust tool to help you easily use the SQUARE process for
security, privacy, or both is now available as a free downloadable application.
Organizations that are acquiring software have the same security concerns as those that are developing software, but they usually have less control over the actual development process. Learn more about adapting the SQUARE method for acquisition.