Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Security Requirements Engineering Using the SQUARE Method

Through the SQUARE project, CERT researchers have developed an end-to-end process for security requirements engineering to help organizations build security into the early stages of the production life cycle. The SQUARE methodology consists of nine steps that generate a final deliverable of categorized and prioritized security requirements. This project started in 2003 and continues research in the security requirements area, developing the SQUARE method and its extensions, associated tools, and presenting and publishing the method at workshops and tutorials, at conferences, and in journals and books.

Requirements engineering defects, including those in security requirements, cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. A study found returns on investment of 12 to 21 percent when security analysis and secure engineering practices are introduced early in the development cycle. Further, it is very difficult and expensive to significantly improve the security of an application after it is fielded in its operational environment.

In this workshop we will present an overview of security requirements engineering and the SQUARE methodology. Then we will go through the SQUARE steps in detail. For each step, students will participate in a team case study. We will then discuss some of the follow-on research and transition activities. These include 1) SQUARE-Lite - an abbreviated version of SQUARE, 2) SQUARE integrated into various lifecycle models 3) SQUARE for Privacy (P-SQUARE) 4) SQUARE for Acquisition (A-SQUARE). We will also discuss the current SQUARE tool development effort in support of the original SQUARE, P-SQUARE, and A-SQUARE, and other topics of interest.

Who should attend?

The target audience includes software managers and technical leads, software engineers, and requirements engineers who are concerned with security requirements in developed or acquired software. Security specialists who are involved in security requirements specification would benefit from this course.


  • Overview of security requirements engineering
  • Overview of SQUARE
  • Overview of A-SQUARE and P-SQUARE
  • In-depth study of SQUARE steps, including a case study
  • Discussion of current research and available tools


  • Attendees will understand the challenges of security requirements engineering.
  • Attendees will learn the importance of developing security requirements in the same time frame as functional requirements, rather than as an add-on patch.
  • Attendees will learn why the methods used to identify functional requirements may not work directly for security requirements.
  • Attendees will be exposed to methods for security risk analysis, security requirements elicitation, and security requirements prioritization.
  • Attendees will learn how to apply the SQUARE method for security requirements engineering.


There are no formal prerequisites, although knowledge of software engineering processes in general and requirements engineering in particular would be helpful. Alternatively, knowledge of software security and the associated requirements issues would be helpful.


Participants will receive:

  • Course notebook containing the course materials
  • Case study materials
  • SQUARE Technical Report
  • Copy of Addison Wesley book Software Security Engineering: A Guide for Project Managers
  • CD containing the SQUARE tool suite


This one-day course meets at the following times:
9:00 a.m. - 5:00 p.m.

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials.

Course Details

This course may be offered by special arrangement at customer sites.

For More Information

Phone: 412-268-7622