- System Quality Requirements Engineering (SQUARE) is a process model that was developed at Carnegie Mellon University
系統質量要求工程(SQUARE)是一種在卡內基梅隆大學開發的過程模型 - Security Quality Requirements Engineering (SQUARE) provides a means for eliciting, categorizing, and prioritizing security
requirements for information technology systems and applications
安全質量要求工程(SQUARE)提供了一種方法,用於引出,分類和確定信息技術系統和應用程序的安全要求的優先級 - The focus of this methodology is to build security concepts into the early stages of the development life cycle live
該方法的重點是將安全概念構建到開發生命週期的早期階段
SQUARE Effectiveness
Requirement Elicitation
- Degree of support provided for requirement elicitation:Moderate-Low degree of support
為需求引出提供的支持程度:中等 – 低支持度 - Method used for eliciting requirements:Any technique like Interviews and Surveys
用於引出要求的方法:任何技術,如訪談和調查 - Degree of stakeholder identification provided: Moderate-High degree of stakeholder identification involved
提供的利益相關者識別程度:涉及中等 – 高度的利益相關者識別 - The level of involvement of the customer: High involvement of customers
客戶的參與程度:客戶的高度參與 - Elicitation of requirements other than security: Functional and Non-functional
引出安全以外的要求:功能性和非功能性 - Dynamics of the elicitation process: Iterative process
啟發過程的動力學:迭代過程 - Support for establishing system boundaries: Low support
支持建立系統邊界:低支持
Requirement Analysis
- Types of analysis: Internal and External analysis
分析類型:內部和外部分析 - Degree of unambiguity resolution of analysis: High level of detecting unambiguity and resolving it
分析的無模糊度解析度:高水平的無歧義檢測和解決方法 - Degree of completeness levels of analysis: Moderate level of support available to ensure complete security requirements
完整程度分析:可提供適度的支持,以確保完整的安全要求 - Degree of clarity resolution level of analysis:Provides only High level of clarity
清晰度分辨率分析水平:僅提供高清晰度 - Degree of support level analysis for considering missed security requirements:Low level of support
考慮錯過安全要求的支持級別分析程度:支持水平低 - Definite or indefinite prevention of security requirement conflict:Definite prevention
確定或無限制地預防安全要求衝突:明確的預防
SQUARE: Advantages and Disadvantages
- Advantages
Enables easy understanding of the system and at the same time is easy to learn
使系統易於理解,同時易於學習
Inexpensive to implement
實施起來很便宜 - Disadvantages
Only useful for large projects
僅對大型項目有用
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- OCTAVE is an information risk evaluation method that enables organizations to determine the risk factors affecting the confidentiality, integrity, and availability of assets
OCTAVE是一種訊息風險評估方法,使組織能夠確定影響資產機密性,完整性和可用性的風險因素 - OCTAVE provides a structured approach for identifying, prioritizing, and managing the security risks in an organization
OCTAVE提供了一種結構化方法,用於識別,確定優先級並管理組織中的安全風險 - It also enables the organization to make a better understanding of the security requirements needed for maintaining security of the assets
它還使組織能夠更好地了解維護資產安全性所需的安全要求
The OCTAVE approach consists of three phases:
OCTAVE方法包括三個階段:
- Phase 1: Identifying the asset based threat
識別基於資產的威脅 - Phase 2: Evaluating and identifying the vulnerabilities
評估和識別漏洞 - Phase 3: Drafting security strategies and plans
起草安全戰略和計劃
OCTAVE Steps
The steps involved in OCTAVE security requirement process are:
OCTAVE安全要求流程涉及的步驟如下:
- Identify the important and valuable assets
確定重要且有價值的資產 - Determine the security objective for those assets
確定這些資產的安全目標 - Identify and analyze the threats and risks involved in the identified critical assets
識別並分析已識別的關鍵資產中涉及的威脅和風險 - Determine security requirements for the identified threats and risks
確定已識別的威脅和風險的安全要求
OCTAVE: Advantages and Disadvantages
- Advantages
It enables small and large organizations to apply OCTAVE approach during security elicitation process
它使小型和大型組織能夠在安全性啟發過程中應用OCTAVE方法 - Disadvantages
It is difficult to understand and implement the concepts of OCTAVE approach
很難理解和實現OCTAVE方法的概念
The approach does not provide a detailed explanation of the quantitative analysis of the security risks in the organization
該方法沒有提供對組織中安全風險的定量分析的詳細解釋
Cheng® 