It is well recognized in industry that requirements engineering is critical to the success of any major development project. Security requirements, if they are specified at all, tend to be developed independently of the rest of the requirements engineering activity. As a result, security requirements that are specific to the system and that provide for protection of essential services and assets are often neglected.
Through the SQUARE project, CERT researchers have developed an end-to-end process for security requirements engineering to help organizations build security into the early stages of the production life cycle. The SQUARE methodology consists of nine steps that generate a final deliverable of categorized and prioritized security requirements. The process has been baselined, piloted, and incorporated into practice. CERT has prototyped a computer-aided software engineering (CASE) tool to support each stage of the SQUARE process. More recently, SQUARE for Acquisition (A-SQUARE) has been developed and is available for early pilot use. This seminar provides an overview of the SQUARE process, and discusses current activities and plans.