- preventing unauthorized access to assets such as computers, networks, and data.
- maintaining confidentiality, integrity and availability of (sensitive) information
Capability of a product to protect information and data so that persons or other products have the degree of data access appropriate to their types and levels of authorization, and to defend against attack patterns by malicious actors.
Typical Acceptance Criteria
Scenario Response Measures from [Bass et al.]
- How much of a resource is compromised or ensured?
- Accuracy of attack detection
- How much time passes before an attack is detected?
- How many attacks are resisted?
- How long does it take to recover from a successful attack?
- How much data is vulnerable to a particular attack?
What Stakeholders mean by secure
|Stakeholder||(potential) Expectation for secure|
|User||* my personal data is never compromised or leaked to (hostile) third parties
* a good compromise between privacy and usability is achieved
|Management||* lowest possible risk of data breaches
* full compliance with GDPR or similar data protection and privacy regulations
* full adherence to all licenses, of e.g. commercial or open-source tools, libraries or frameworks
* appropriate network security measures taken
* regular backups, tested and automated
* minimal attack vectors
|Developer||* despite corporate security measures, public sources (like Stack Overflow, GitHub and common search engines) are accessible
security strategies like VPNs or MFA are easy to use
* automated and tested backup for everything
* all important documents and files are version-controlled
|Admin||* smallest possible attack surface
* restrictive firewall rules
* minimal access rights for all stakeholders (least privilege)
* intrusion detection in place
* automated malware scans for all incoming data and files
|Others||Security auditor, Data protection officer, government or corporate security departments, attackers|
Qualities tagged with #secure
Requirements tagged with #secure
- Avoid common vulnerabilities
- Confidentiality by multi-tenancy
- Employee attempts to modify pay rate
- Encrypted storage
- Every data modification is logged
- Only authenticated users can access data
- Zero-knowledge data storage