search menu icon-carat-right cmu-wordmark

Security Requirements Reusability and the SQUARE Methodology

Technical Note
In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2010-TN-027
DOI (Digital Object Identifier)
10.1184/R1/6583700.v1

Abstract

Security is often neglected during requirements elicitation, which leads to tacked-on designs, vulnerabilities, and increased costs. When security requirements are defined, they are often either too vague to be of much use or overly specific in constraining designers to use particular mechanisms. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute, has developed the Security Quality Requirements Engineering (SQUARE) methodology to correct this shortcoming by integrating security analysis into the requirements engineering process. 

SQUARE can be improved upon by considering the inclusion of generalized, reusable security requirements to produce better-quality specifications at a lower cost. Because many software-intensive systems face similar security threats and address those threats in fairly standardized ways, there is potential for reuse of security goals and requirements if they are properly specified. Full integration of reuse into SQUARE requires a common understanding of security concepts and a body of well-written and generalized requirements. This study explores common security criteria as a hierarchy of concepts and relates those criteria to examples of reusable security goals and requirements for inclusion in a new variant of SQUARE focusing on reusability, R-SQUARE.

Cite This Technical Note

Christian, T., & Mead, N. (2010, September 1). Security Requirements Reusability and the SQUARE Methodology. (Technical Note CMU/SEI-2010-TN-027). Retrieved February 27, 2024, from https://doi.org/10.1184/R1/6583700.v1.

@techreport{christian_2010,
author={Christian, Travis and Mead, Nancy},
title={Security Requirements Reusability and the SQUARE Methodology},
month={Sep},
year={2010},
number={CMU/SEI-2010-TN-027},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6583700.v1},
note={Accessed: 2024-Feb-27}
}

Christian, Travis, and Nancy Mead. "Security Requirements Reusability and the SQUARE Methodology." (CMU/SEI-2010-TN-027). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, September 1, 2010. https://doi.org/10.1184/R1/6583700.v1.

T. Christian, and N. Mead, "Security Requirements Reusability and the SQUARE Methodology," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2010-TN-027, 1-Sep-2010 [Online]. Available: https://doi.org/10.1184/R1/6583700.v1. [Accessed: 27-Feb-2024].

Christian, Travis, and Nancy Mead. "Security Requirements Reusability and the SQUARE Methodology." (Technical Note CMU/SEI-2010-TN-027). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Sep. 2010. https://doi.org/10.1184/R1/6583700.v1. Accessed 27 Feb. 2024.

Christian, Travis; & Mead, Nancy. Security Requirements Reusability and the SQUARE Methodology. CMU/SEI-2010-TN-027. Software Engineering Institute. 2010. https://doi.org/10.1184/R1/6583700.v1