Through the SQUARE project, CERT researchers have developed an end-to-end process for security requirements engineering to help organizations build security into the early stages of the production life cycle. The SQUARE methodology consists of nine steps that generate a final deliverable of categorized and prioritized security requirements. This project started in 2003 and continues research in the security requirements area, developing the SQUARE method and its extensions, associated tools, and presenting and publishing the method at workshops and tutorials, at conferences, and in journals and books.
Requirements engineering defects, including those in security requirements, cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. A study found returns on investment of 12 to 21 percent when security analysis and secure engineering practices are introduced early in the development cycle. Further, it is very difficult and expensive to significantly improve the security of an application after it is fielded in its operational environment.
In this workshop we will present an overview of security requirements engineering and the SQUARE methodology. Then we will go through the SQUARE steps in detail. For each step, students will participate in a team case study. We will then discuss some of the follow-on research and transition activities. These include 1) SQUARE-Lite - an abbreviated version of SQUARE, 2) SQUARE integrated into various lifecycle models 3) SQUARE for Privacy (P-SQUARE) 4) SQUARE for Acquisition (A-SQUARE). We will also discuss the current SQUARE tool development effort in support of the original SQUARE, P-SQUARE, and A-SQUARE, and other topics of interest.
The target audience includes software managers and technical leads, software engineers, and requirements engineers who are concerned with security requirements in developed or acquired software. Security specialists who are involved in security requirements specification would benefit from this course.
There are no formal prerequisites, although knowledge of software engineering processes in general and requirements engineering in particular would be helpful. Alternatively, knowledge of software security and the associated requirements issues would be helpful.
Participants will receive:
This 2-day course meets at the following times:
Days 1-2, 9:00 a.m. - 5:00 p.m.