- preventing unauthorized access to assets such as computers, networks, and data.
- maintaining integrity and confidentiality of (sensitive) information
Capability of a product to protect information and data so that persons or other products have the degree of data access appropriate to their types and levels of authorization, and to defend against attack patterns by malicious actors.
Typical Acceptance Criteria
Scenario Response Measures from [Bass et al.]
- How much of a resource is compromised or ensured?
- Accuracy of attack detection
- How much time passes before an attack is detected?
- How many attacks are resisted?
- How long does it take to recover from successful attack?
- How much data is vulnerable to a particular attack?
What Stakeholders mean by secure
|Stakeholder||(potential) Expectation for secure|
|User||* my personal data is never compromised or leaked to hostile parties
* a good compromise privacy and usability is achieved
|Management||* lowest possible risk of data breaches
* full compliance with GDPR or similar regulations
* full adherence to all licenses, of e.g. commercial or open-source tools, libraries or frameworks
* appropriate network security measures taken
* regular backups, tested and automated
* minimal attack vectors
|Developer||* despite corporate security rules, public sources (like Stackoverflow, Github and search engines) are accessible
security strategies like VPNs or 2FA are easy to use
* automated and proven backup for everything
* all important documents and files are version-controlled
|Admin||* smalles possible attack surface
* restrictive firewall rules
* minimal access rights for all stakeholders
* intrusion detection in place
* automated malware scans for all incoming data and files
|Others||Security auditor, Data protection officer, government or corporate security departments, attackers|
Qualities tagged with #secure
Requirements tagged with #secure
- Avoid common vulnerabilities
- Confidentiality by multi-tenancy
- Employee attempts to modify pay rate
- Encrypted storage
- Every data modification is logged
- Only authenticated users can access data
- Zero-knowledge data storage