search menu icon-carat-right cmu-wordmark

Security Requirements Reusability and the SQUARE Methodology

September 2010 Technical Note
Travis Christian, Nancy R. Mead

In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


Security is often neglected during requirements elicitation, which leads to tacked-on designs, vulnerabilities, and increased costs. When security requirements are defined, they are often either too vague to be of much use or overly specific in constraining designers to use particular mechanisms. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute, has developed the Security Quality Requirements Engineering (SQUARE) methodology to correct this shortcoming by integrating security analysis into the requirements engineering process. 

SQUARE can be improved upon by considering the inclusion of generalized, reusable security requirements to produce better-quality specifications at a lower cost. Because many software-intensive systems face similar security threats and address those threats in fairly standardized ways, there is potential for reuse of security goals and requirements if they are properly specified. Full integration of reuse into SQUARE requires a common understanding of security concepts and a body of well-written and generalized requirements. This study explores common security criteria as a hierarchy of concepts and relates those criteria to examples of reusable security goals and requirements for inclusion in a new variant of SQUARE focusing on reusability, R-SQUARE.