Software Engineering Institute

Organizations that are acquiring software have the same security concerns as organizations that are developing software, but they usually have less control over the actual development process. Depending on the exact situation, the acquisition stakeholders may be heavily involved in security requirements engineering, or they may have a role that is largely limited to reviewing requirements developed by the supplier. In this paper the SQUARE process for security requirements engineering is adapted for different acquisition situations. In the future, it is hoped that other security requirements engineering methods will be adapted to acquisition. The next steps for SQUARE for Acquisition are to use it on actual projects.