search menu icon-carat-right cmu-wordmark

Adapting the SQUARE Method for Security Requirements Engineering to Acquisition

White Paper
In this paper, Nancy Mead adapts the SQUARE process for security requirements engineering to different acquisition situations.

Software Engineering Institute


Organizations that are acquiring software have the same security concerns as organizations that are developing software, but they usually have less control over the actual development process. Depending on the exact situation, the acquisition stakeholders may be heavily involved in security requirements engineering, or they may have a role that is largely limited to reviewing requirements developed by the supplier. In this paper the SQUARE process for security requirements engineering is adapted for different acquisition situations. In the future, it is hoped that other security requirements engineering methods will be adapted to acquisition. The next steps for SQUARE for Acquisition are to use it on actual projects.