Security Quality Requirements Engineering (SQUARE): Case Study Phase III

Abstract : This special report is the third in a series by the Software Engineering Institute focusing on the practical application of the Security Quality Requirements Engineering (SQUARE) process. In this report, a student team presents their results of working with three clients over the course of a semester. Each client was developing a large-scale software application and worked with the students to generate security requirements. The students main contribution to the SQUARE process was to determine how existing software requirements-elicitation techniques could be applied to software security requirements (as opposed to end-user requirements). With each client, the students implemented a different structured requirements-elicitation technique: Issue- Based Information Systems with an information technology firm, Joint Application Development (JAD) with the Delta client, and the Accelerated Requirements Method (ARM) with the Beta client. The ARM technique, which is a variant of JAD, held the most promise for inclusion in future applications of SQUARE. In addition to an analysis of the three elicitation techniques, the student team also generated feedback and recommendations on different steps of the SQUARE process, such as requirements prioritization and inspection. They found the Analytic Hierarchy Process to be highly useful for prioritizing requirements quickly; however, they did not find a requirements inspection technique that was well suited for any of the clients.

[1]  D. Prowe Berlin , 1855, Journal of public health, and sanitary review.

[2]  Jonas S. Karlsson Towards a strategy for software requirements selection , 1995 .

[3]  Felix Bachmann,et al.  Security and Survivability Reasoning Frameworks and Architectural Design Tactics , 2004 .

[4]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[5]  Klaus Pohl,et al.  The Three Dimensions of Requirements Engineering , 1993, CAiSE.

[6]  Kuntz Werner,et al.  Issues as Elements of Information Systems , 1970 .

[7]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[8]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[9]  Michael W. Nicholson,et al.  Rational Analysis for a Problematic World , 1990 .

[10]  E. P. Doolan,et al.  Experience with Fagan's inspection method , 1992, Softw. Pract. Exp..

[11]  Nancy R. Mead,et al.  System Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System , 2004 .

[12]  G. P. Mullery,et al.  CORE - a method for controlled requirement specification , 1979, ICSE 1979.

[13]  Barry W. Boehm,et al.  Theory-W Software Project Management: Principles and Examples , 1989, IEEE Trans. Software Eng..

[14]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2000, Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000.

[15]  Joachim Karlsson,et al.  A Cost-Value Approach for Prioritizing Requirements , 1997, IEEE Softw..

[16]  Joachim Karlsson,et al.  Software requirements prioritizing , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[17]  Jeff Kramer,et al.  TARA: tool assisted requirements analysis , 1988 .

[18]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[19]  Aldo Dagnino,et al.  Deriving Goals from a Use-Case Based Requirements Specification , 2001, Requirements Engineering.

[20]  Michael E. Fagan Advances in software inspections , 1986, IEEE Transactions on Software Engineering.

[21]  Peri Loucopoulos,et al.  Conceptual Modeling, Databases, and Case: An Integrated View of Information Systems Development , 1992 .

[22]  Karl E. Wiegers Seven Truths About Peer Reviews 1 , 2002 .

[23]  Robert E. Park A Manager's Checklist for Validating Software Cost and Schedule Estimates , 1995 .

[24]  M. Pursley Report Documentation Page Form Approved Omb No. 0704-0188 Please Do Not Return Your Form to the above Address. 1. Report Date (dd-mm-yyyy) Final Technical Report Receiver Statistics for Cognitive Radios in Dynamic Spectrum Access Networks Onr , 2007 .

[25]  Rosío Alvarez,et al.  Discourse analysis of requirements and knowledge elicitation interviews , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[26]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[27]  Jongmoon Baik,et al.  An empirical study of modifying the Fagan inspection process and the resulting main effects and interaction effects among defects found, effort required, rate of preparation and inspection, number of team members and product 1st pass quality , 2002, 27th Annual NASA Goddard/IEEE Software Engineering Workshop, 2002. Proceedings..

[28]  Jung-Won Park Supporting Distributed Collaborative Prioritization for WinWin Requirements Capture and Negotiations , 1999 .

[29]  Jane Wood,et al.  Joint Application Design: How to Design Quality Systems in 40% Less Time , 1989 .

[30]  A. Eberlein,et al.  Requirements Engineering for Software Product Lines , 2002 .

[31]  James E. Rumbaugh,et al.  Getting Started: Using Use Cases to Capture Requirements , 1994, J. Object Oriented Program..

[32]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[33]  J. K. Buckle Reviews and Inspections , 1982 .

[34]  D. Schiffrin Approaches to Discourse , 1997 .