This special report is the third in a series by the Software Engineering Institute focusing on the practical application of the Security Quality Requirements Engineering (SQUARE) process. In this report, a student team presents their results of working with three clients over the course of a semester. Each client was developing a large-scale software application and worked with the students to generate security requirements. The students' main contribution to the SQUARE process was to determine how existing software requirements-elicitation techniques could be applied to software security requirements (as opposed to end-user requirements).
With each client, the students implemented a different structured requirements-elicitation technique: Issue-Based Information Systems with an information technology firm, Joint Application Development (JAD) with the Delta client, and the Accelerated Requirements Method (ARM) with the Beta client. The ARM technique, which is a variant of JAD, held the most promise for inclusion in future applications of SQUARE. In addition to an analysis of the three elicitation techniques, the student team also generated feedback and recommendations on different steps of the SQUARE process, such as requirements prioritization and inspection. They found the Analytic Hierarchy Process to be highly useful for prioritizing requirements quickly; however, they did not find a requirements inspection technique that was well suited for any of the clients.