System Quality Requirements Engineering (SQUARE) is a process model that was developed at the Software Engineering Institute’s Networked Systems Survivability (NSS) Program at Carnegie Mellon University, with Pr. Nancy Mead as Principal Investigator. SQUARE Methodology consists of nine steps that generate a final deliverable of categorized and prioritized security requirements. Although the SQUARE Methodology could likely be generalized to any large-scale design project, it was designed for use with information technology systems. The SQUARE process involves the interaction of a team of requirements engineers and the stakeholders of an IT project. SQUARE has been tested successfully on several pilot projects in different settings. The pilot organizations included a small startup company, a midsize company with 1000 employees, and a US government organization.
In 2011, we will investigate how to set up a collaboration to assess this methodology for SAP by testing it on different Pilots. This work may involve Carnegie Mellon University (Pr. Nancy Mead) with SAP Research Sophia Antipolis, Security & Trust (Dr. Paul El Khoury) in addition to other SAP departments.
The main advantage that SQUARE provides is traceability for the provided security requirements. In a nutshell, Traceability means that a security requirement will be provided with the context it was derived from. This includes modeled threats, components, architectures and clear definitions of the terms used in the security requirements. In addition to knowing when a security requirement is applicable, in general, SQUARE will allow better decision making process to know whether to prioritize a certain security requirement in a current release that needs to be shipped quickly or in further ones. This decision making will be possible since the misuse cases, attack patterns, cost and efforts for a certain security requirements are available with the context description for each security requirements.
Additional details on SQUARE can be found on the CERT website. Additional details on the SQUARE tool that supports the SQUARE methodology can be found on that address as well. Tutorials and lecture notes on how to use the methodology can be found on the instructional page of the CERT.