• preventing unauthorized access to assets such as computers, networks, and data.
  • maintaining integrity and confidentiality of (sensitive) information


Capability of a product to protect information and data so that persons or other products have the degree of data access appropriate to their types and levels of authorization, and to defend against attack patterns by malicious actors.


Typical Acceptance Criteria

Scenario Response Measures from [Bass et al.]

  • How much of a resource is compromised or ensured?
  • Accuracy of attack detection
  • How much time passes before an attack is detected?
  • How many attacks are resisted?
  • How long does it take to recover from successful attack?
  • How much data is vulnerable to a particular attack?

Bass et. al, 2022

What Stakeholders mean by secure

Stakeholder (potential) Expectation for secure
User * my personal data is never compromised or leaked to hostile parties
* a good compromise privacy and usability is achieved
Management * lowest possible risk of data breaches
* full compliance with GDPR or similar regulations
* full adherence to all licenses, of e.g. commercial or open-source tools, libraries or frameworks
* appropriate network security measures taken
* regular backups, tested and automated
* minimal attack vectors
Developer * despite corporate security rules, public sources (like Stackoverflow, Github and search engines) are accessible
security strategies like VPNs or 2FA are easy to use
* automated and proven backup for everything
* all important documents and files are version-controlled
Tester -
Admin * smalles possible attack surface
* restrictive firewall rules
* minimal access rights for all stakeholders
* intrusion detection in place
* automated malware scans for all incoming data and files
Domain-Expert -
Others Security auditor, Data protection officer, government or corporate security departments, attackers

Qualities tagged with #secure

Requirements tagged with #secure