search menu icon-carat-right cmu-wordmark

Security Requirements Engineering Using the SQUARE Method

Through the SQUARE project, CERT researchers have developed an end-to-end process for security requirements engineering to help organizations build security into the early stages of the production life cycle. The SQUARE methodology consists of nine steps that generate a final deliverable of categorized and prioritized security requirements. This project started in 2003 and continues research in the security requirements area, developing the SQUARE method and its extensions, associated tools, and presenting and publishing the method at workshops and tutorials, at conferences, and in journals and books.

Requirements engineering defects, including those in security requirements, cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. A study found returns on investment of 12 to 21 percent when security analysis and secure engineering practices are introduced early in the development cycle. Further, it is very difficult and expensive to significantly improve the security of an application after it is fielded in its operational environment.

In this workshop we will present an overview of security requirements engineering and the SQUARE methodology. Then we will go through the SQUARE steps in detail. For each step, students will participate in a team case study. We will then discuss some of the follow-on research and transition activities. These include 1) SQUARE-Lite - an abbreviated version of SQUARE, 2) SQUARE integrated into various lifecycle models 3) SQUARE for Privacy (P-SQUARE) 4) SQUARE for Acquisition (A-SQUARE). We will also discuss the current SQUARE tool development effort in support of the original SQUARE, P-SQUARE, and A-SQUARE, and other topics of interest.


The target audience includes software managers and technical leads, software engineers, and requirements engineers who are concerned with security requirements in developed or acquired software. Security specialists who are involved in security requirements specification would benefit from this course.


  • Attendees will understand the challenges of security requirements engineering.
  • Attendees will learn the importance of developing security requirements in the same time frame as functional requirements, rather than as an add-on patch.
  • Attendees will learn why the methods used to identify functional requirements may not work directly for security requirements.
  • Attendees will be exposed to methods for security risk analysis, security requirements elicitation, and security requirements prioritization.
  • Attendees will learn how to apply the SQUARE method for security requirements engineering.


  • Overview of security requirements engineering
  • Overview of SQUARE
  • Overview of A-SQUARE and P-SQUARE
  • In-depth study of SQUARE steps, including a case study
  • Discussion of current research and available tools


Participants will receive:

  • Course notebook containing the course materials
  • Case study materials
  • SQUARE Technical Report
  • Copy of Addison Wesley book Software Security Engineering: A Guide for Project Managers
  • CD containing the SQUARE tool suite


There are no formal prerequisites, although knowledge of software engineering processes in general and requirements engineering in particular would be helpful. Alternatively, knowledge of software security and the associated requirements issues would be helpful.


This one-day course meets at the following times:

9:00 a.m. - 5:00 p.m.

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-7622.

Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Related Courses

  • Software Assurance Methods in Support of Cyber Security

    1 - Day Course

    This workshop is focused on four critical software assurance areas: security requirements, software supply chain assurance, mission thread analysis, and measurement. The purpose of this course is to expose managers, engineers, and acquirers to concepts and resources available now for their use to address software security assurance across the...

    Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.