This document discusses security requirements engineering and the SQUARE framework. It defines key terms like requirements, requirements engineering, and security requirements engineering. It then outlines the SQUARE framework which is a 9 step process for eliciting security requirements that includes agreeing on definitions, identifying goals, risk assessment, selecting techniques, and prioritizing requirements. Other frameworks are also briefly discussed and compared to SQUARE. Implementing security requirements engineering and SQUARE provides benefits like reducing risks and costs while protecting the business.
2. Overview
• Definitions
• Business pains
• SQUARE Framework
• Other Frameworks
• Benefits
• Q&A
2
3. Definitions
• Requirement: “is a condition or capability that
must be met or possessed by a system or system
component to satisfy a contract, standard,
specification, or other formally imposed
documents”
• In general requirement is based on what the product
should do not how the product should do.
• Requirements engineering “is the branch of
software engineering concerned with the real-world
goals for, functions of, and constraints on
software systems. It is also concerned with the
relationship of these factors to precise
specifications of software behavior, and to their
evolution over time and across software families”
3
4. Definitions
• Security “is measurement or action to prevent
hard to a component”
• Security requirements engineering “is
about defining the way to achieve security goals
- traditionally classified into confidentiality,
integrity, and availability (CIA) goals- “
4
5. Business pains
• 60% of failed project are failed due to lack of
Requirements engineering process or
methodology
• 79% of cyber-attacks happened due to not focus
on security requirements during implementing
the product/project
5
6. Top web attacks
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Known Vulnerable Components
• Un-validated Redirects and Forwards
These can be avoided if security were addressed before
starting development.
6
7. Hierarchy of security goals
Business
goals
Saftey and security
goals
Security requirements
Various architectural and policy
recommendations
7
9. SQUARE Steps
# Step Input Techniques Participants Output
1 Agree on definitions Potential definitions
• Structured interviews
• focus group
Stakeholders,
requirements team
Agreed-to
definitions
2 Identify security goals
Definitions, candidate goals,
business drivers, policies and
procedures, examples
• Facilitated work session
• Surveys and interviews
Stakeholders,
requirements engineer
Goals
3 Develop artifacts Potential artifacts Work session Requirements engineer
9
Needed artifacts:
scenarios, misuse
cases, models,
templates, forms
4
Perform risk
assessment
• Misuse cases,
• Scenarios
• security goals
• Risk assessment method,
• Analysis of anticipated risk
• Threat analysis
Requirements engineer,
risk expert, stakeholders
Risk assessment
results
5
Select elicitation
techniques
Goals, definitions, candidate
techniques, expertise of
stakeholders, organizational
style, culture, level of security
needed, cost benefit analysis, etc.
Work session Requirements engineer
Selected elicitation
techniques
10. SQUARE Steps – Continue
# Step Input Techniques Participants Output
6
Elicit security
requirements
• Artifacts,
• Risk assessment results
• Selected techniques
Joint Application
Development (JAD),
interviews, surveys, model-based
analysis, checklists, lists
of reusable requirements
types, document reviews
Stakeholders facilitated
by requirements engineer
10
Initial cut at
security
requirements
7 Categorize requirements
• Initial requirements
• Architecture
Work session
Requirements engineer,
other specialists as
needed
Categorized
requirements
8 Prioritize requirements
• Categorized requirements
• Risk assessment results
• Triage
• Win-Win
Stakeholders facilitated
by requirements engineer
Prioritized
requirements
9
Requirements
inspection
• Prioritized requirements
• Fagan
• Peer reviews
Inspection team
List of security
requirements
11. Other framework
• Secure-i
• Security engineering process using patterns
(SEPP)
• Keep all objectives satisfied (KAOS)
• Model-based information system security risk
management (ISSRM)
• UMLsec
11
12. Comparison between these framework
Criteria
Method
Stakeholder
s views
Multi-
Lateral
System Machines Threats Risks QA Formality
SQUARE X X X X X X X -
Secure-i X X X X X X X -
SEPP - - X X - - X X
KAOS X X X X X - X X
ISSRM X - X X X X - -
UMLsec - - - X X - - X
12
13. Benefits of implementing security
requirements engineering
• Protect business identity
• No need to redevelop systems in order to secure it
• Lower percentage of risks
• Result can be reused in the future
• Reduce business downtime
• Documented systems
• Reduced cost
• Quality improvement
13
14. Benefits of implementing SQUARE
• Reusable
• Easy to adapt
• More practitioner
• Ability to integrate with development lifecycle
14
15. Conclusion
• Implementing Security requirements
engineering is a must, if the organization wants
to protect its identity
• SQUARE is good framework but it is still
missing attributes such monitor and control
during the implementation, or reviewing the
result after implementing the security
requirements list.
15