International Liability Issues for Software Quality

This report focuses on international law related to cybercrime, international information security standards, and software liability issues as they relate to information security for critical infrastructure applications. Each area is explored and implications for U.S. policy and efforts to create cybersecurity policy worldwide are discussed. Recommendations are made for U.S. government participation and leadership. This report is one of a series of reports on U.S. policy by the CERT Coordination Center. Prior reports focused on international infrastructure for global security incident response and the technical challenges and global policy issues of tracking and tracing cyber attacks

An Evaluation of A-SQUARE for COTS Acquisition

<p>Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University, Software Quality Requirements Engineering for Acquisition (A-SQUARE) is a methodology used for eliciting and prioritizing security requirements as part of the acquisition process. In the project described in this paper, we evaluated the effectiveness of the A-SQUARE method by applying it to a COTS product for the advanced metering infrastructure of a smart grid. We evaluated the ability of the A-SQUARE method to identify security requirements for the COTS product; identify candidate COTS products; elicit, categorize, and prioritize security requirements; prioritize COTS products; and select a COTS product. We also evaluated the usability of the A-SQUARE tool using qualitative evaluation criteria.</p

Requirements Engineering for Survivable Systems

This report describes the current state of requirements engineering for survivable systems, that is, systems that are able to complete their mission in a timely manner, even if significant portions are compromised by attack or accident. Requirements engineering is defined and requirements engineering activities are described. Survivability requirements are then explained, and requirements engineering methods that may be suitable for survivable systems are introduced. The report concludes with a summary and a plan for future research opportunities in survivable systems requirements engineering

How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods

The Security Quality Requirements Engineering (SQUARE) method, developed at the Carnegie Mellon Software Engineering Institute, provides a systematic way to identify security requirements in a software development project. This report describes SQUARE and then describes other methods used for identifying security requirements, such as the Comprehensive, Lightweight Application Security Process, the Security Requirements Engineering Process, and Tropos, and compares them with SQUARE. The report concludes with some guidelines for selecting a method and a look at some related trends in requirements engineering

Adapting the SQUARE Process for Privacy Requirements Engineering

As software systems become more distributed and complex, maintaining privacy of data and en-suring data integrity remain challenges for software practitioners. Developing such systems not only poses technical challenges but also demands compliance with privacy laws. Engineering pre-cise privacy requirements is an important step in building these software systems. This technical note explores the use of a disciplined approach to identifying privacy requirements, primarily how the Security Quality Requirements Engineering (SQUARE) process, which was developed for security requirements engineering, can be adapted for privacy requirements engineering in soft-ware development

Security Requirements Reusability and the SQUARE Methodology

Security is often neglected during requirements elicitation, which leads to tacked-on designs, vulnerabilities, and increased costs. When security requirements are defined, they are often either too vague to be of much use or overly specific in constraining designers to use particular mechanisms. The CERT Program, part of Carnegie Mellon University's Software Engineering Institute, has developed the Security Quality Requirements Engineering (SQUARE) methodology to correct this shortcoming by integrating security analysis into the requirements engineering process. SQUARE can be improved upon by considering the inclusion of generalized, reusable security requirements to produce better-quality specifications at a lower cost. Because many software-intensive systems face similar security threats and address those threats in fairly standardized ways, there is potential for reuse of security goals and requirements if they are properly specified. Full integration of reuse into SQUARE requires a common understanding of security concepts and a body of well-written and generalized requirements. This study explores common security criteria as a hierarchy of concepts and relates those criteria to examples of reusable security goals and requirements for inclusion in a new variant of SQUARE focusing on reusability, R-SQUARE

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

Many companies rely on historical data to build predictability models for cost/benefit justification of future projects. Unfortunately, for small companies, which generally do not have a process for collecting security data, the costs and the benefits of information security improvement projects have been very difficult to estimate and justify. In addition, detailed attack data are simply not available to be used as references in cost estimations. Given these difficulties, many small companies choose to ignore entirely the security vulnerabilities in their systems, and many suffer the consequences of security breaches and significant financial loss. Small companies that do implement security improvement projects often have problems understanding the cost structures of their improvement initiatives and how to translate risk exposures into costs that can be passed on to their customers. To deal with the aforementioned problems, this report describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security improvement projects. The framework classifies misuse cases into categories of threats for which nationally surveyed risks and financial data are publicly available. For each category of threats, costs, benefits, baseline risks, and residual risks are estimated. The framework then generates all permutations of possible solutions and analyzes the most optimal approach to maximize the value of security improvement projects. The framework analyzes the problems from five dimensions: Total Implementation Costs, Total System Value, Net Project Value, Benefit/Cost Ratio, and Risk Exposures. The final proposed system will be derived from the comparisons of these dimensions, taking into consideration each company's specific situation. This report is one of a series of reports resulting from research conducted by the System Quality Requirements Engineering (SQUARE) Team as part of an independent research and development project of the Software Engineering Institute

Using Malware Analysis to Tailor SQUARE for Mobile Platforms

<p>As the number of mobile-device software applications has grown, so has the amount of malware targeting them. More than 650,000 pieces of malware now target the Android plat-form. As mobile malware becomes more sophisticated and begins to approach threat levels seen on PC platforms, software development security practices for mobile applications will need to adopt the security practices for PC applications to reduce consumers’ exposure to financial and privacy breaches on mobile platforms. This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system. The project’s case study (1) used the Security Quality Requirements Engineering (SQUARE) methodology to develop K-9 Mail’s security requirements and (2) used malware analysis to identify new security requirements in a pro-posed extension to the SQUARE process. This second task analyzed the impacts of DroidCleaner, a piece of Android malware, on the security goals of the K-9 Mail application. Based on the findings, new requirements are created to ensure that similar malware cannot compromise the privacy and confidentiality of email contents.</p

Security Quality Requirements Engineering (SQUARE) Methodology

Requirements engineering, a vital component in successful project development, often does not include sufficient attention to security concerns. Studies show that up-front attention to security can save the economy billions of dollars, yet security concerns are often treated as an afterthought to functional requirements. Industry can thus benefit from a model to examine security requirements in the development stages of the production life cycle. This report presents the Security Quality Requirements (SQUARE) Methodology for eliciting and prioritizing security requirements in software development projects, which was developed by the Software Engineering Institute's Networked Systems Survivability (NSS) Program. The methodology's steps are explained, and results from its application in recent case studies are examined. The NSS Program continues to develop SQUARE, which has proven effective in helping organizations understand their security posture and produce products with verifiable security requirements

Best Training Practices Within the Software Engineering Industry

This report provides the results of a benchmarking study to identify the best training practices within the software engineering community. We surveyed 24 organizations to create a broad picture of training as it currently exists in industry. We then chose three of these organizations for an in-depth study to identify the best training practices and enablers to those practices. This report summarizes the results of the survey and the in-depth study, and discusses the best practices and enablers that were identified