This special report is the first by the Carnegie Mellon ® Software Engineering Institute to focus on the practical application of the SQUARE-Lite security requirements engineering method. Three case study reports about applying the Security Quality Requirements Engineering (SQUARE) process, from which SQUARE-Lite is derived, were published previously.In this report, the SQUARE and SQUARE-Lite methods are briefly described, and a student team presents the results of working with a client using SQUARE-Lite to develop security requirements for a financial application.1 | CMU/SEI-2008-SR-017
IntroductionIn September 2007, Carnegie Mellon University and VAD Corporation came together to pilot the SQUARE-Lite methodology on the VAD Corporation's VADSoft project. The SQUARE team and VAD Corporation staff met on a number of occasions from September 2007 through the end of February 2008. The SQUARE team members are listed as authors of this report. The primary contact point at VAD Corporation was from the Information Security Department. He was frequently joined by members of the VADSoft development team as we worked through the pilot activity. The remainder of this report discusses the results of the SQUARE-Lite pilot and lessons learned from the project.
VAD CORPORATION AND VADSOFTVAD Corporation is a privately held, medium-sized commercial organization. The VADSoft project is a financial application. User functionality is determined by the client and user roles and functions that are defined by their security model.
| CMU/SEI-2008-SR-017
SQUAREThe SQUARE methodology [Mead 2005] begins with the requirements engineering team and project stakeholders agreeing on technical definitions that serve as a baseline for all future communication. Next, business and security goals are outlined. Third, artifacts and documentation are created, which are necessary for a full understanding of the relevant system. A structured risk assessment determines the likelihood and impact of possible threats to the system. Following this work, the requirements engineering team determines the best method for eliciting initial security requirements from stakeholders, which is dependent on several factors, including the stakeholders involved, the expertise of the requirements engineering team, and the size and complexity of the project. Once a method has been established, the participants rely on artifacts and risk assessment results to elicit an initial set of security requirements. Two subsequent stages are spent categorizing and prioritizing these requirements for management's use in making tradeoff decisions. Finally, an inspection stage is included to ensure the consistency and accuracy of the security requirements that have been generated.
SQUARE-LITEOver the course of the SQUARE case studies, it became clear that SQUARE required a significant commitment on the part of the organizations that used it. Execution of the full SQUARE process could take up to two to three months, and many organizations were not able to make that time commi...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.