Security Quality Requirements Engineering (SQUARE)

May 28th, 2011 | By | Category: Management

Security Quality Requirements Engineering (SQUARE) is a nine-step process to help organizations build security into the early stages of the production life cycle. The process involves identifying and assessing processes and techniques to improve requirements identification, analysis, specification, and management. It also focuses on management issues associated with the development of good security requirements. Using SQUARE can enable your organization to develop more secure, survivable software and systems, more predictable schedules and costs, and achieve lower costs. SQUARE is a CERT‘s Reseacrh Project

SQUARE’s Nine Steps

SQUARE’S security requirements elicitation and analysis process

Step Input Technicques Participants Output
1 Agree on definitions Candidate definitions from IEEE and other standards Structured interviews, focus group Stakeholders, requirements team Agreed-to definitions
2 Identify assets and security goals Definitions, candidate goals, business drivers, policies and procedures, examples Facilitated work session, surveys, interviews Stakeholders, requirements engineer Assets and goals
3 Develop artifacts to supprt security requirements definition Potential artifacts (e.g., scenarios, misuse cases, templates, forms) Work session Requirements engineer Needed artifacts: scenarios, misuse cases, models, templates, forms
4 Perform risk assessment Misuse cases, scenarios, security goals Risk assessment method, analysis of anticipated risk against organizational risk tolerance, including threat analysis Requirements engineer, risk expert, stakeholders Risk assessment results
5 Select elicitation techniques Goals, definitions, candidate techniques, expertise of stakeholders, organizational style, culture, level of security needed, cost benefit analysis, etc. Work session Requirements engineer Selected elicicitation techniques
6 Elicit security requirements Artifacts, risk assessment results, selected techniques Joint Application Development (JAD), interviews, surveys, model-based analysis, checklists, lists of reusable requirements types, document reviews Stakeholders facilitated by requirements engineer Initial cut at security requirements
7 Categorize requirements as to level (system, software, etc.) and whether they are requirements or other kinds of constraints Initial requirements, architecture Work session using a standard set of categories Requirements engineer, other specialists as needed Categorized requirements
8 Prioritize requirements Categorized requirements and risk assessment results Prioritization methods such as Triage, Win-Win Stakeholders facilitated by requirements engineer Prioritized requirements
9 Inspect requirements Prioritized requirements, candidate formal inspection technique Inspection methods such as Fagan, peer reviews Inspection team Initial selected requirements, documentation of decision-making process and rationale

Download a printable table of the SQUARE nine-step process.


A robust tool to support SQUARE has been developed by a team of Carnegie Mellon Master of Software Engineering students with oversight by staff within CERT and CyLab. The tool, designed for use by stakeholders, requirements engineers, and administrators, aids in all nine steps of SQUARE by

  • recording definitions and searching and adding new terms
  • identifying the project business goals, assets, and security goals
  • adding or editing links to project artifacts
  • performing risk assessment and identify threats
  • comparing elicitation techniques
  • linking the elicited requirements to goals, risks, and artifacts
  • classifying requirements based on predefined categories
  • prioritizing security requirements
  • inspecting requirements, viewing traceability to risks and artifacts, and exporting requirements to tools such as Requisite Pro

The tool is available for free. You can use it two ways.

Tags: , ,

Comments are closed.