# Security Requirements and Testability One-sentence definition: Write measurable security requirements that can be verified through tests. ## Key Facts - Use verifiable language (e.g., “TLS 1.2+ with AES-GCM” vs “secure channel”). - Tie to controls, standards, and acceptance criteria. - Provide test hooks (logs, admin UI, health endpoints). - Traceability: requirement ↔ test case ↔ evidence. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish vague vs testable requirement. **Mnemonic:** “If you can’t **test** it, you can’t **trust** it.” ## Mini Scenario Q: “Use strong passwords” requirement—improve? A: “Support passphrases ≥ 14 chars; block known-breach list; Argon2 hashing.” ## Revision Checklist - Replace vague words. - Add acceptance criteria. - Traceability artifact. ## Related [[User Acceptance Security Criteria (UAT Security Gates)]] · [[Testing in CI CD (Shift Left and Right)]] · [[Static Analysis (SAST)]] · [[Remediation Verification and Regression Testing]] · [[Reporting and Executive Summaries]] · [[Domain 6 - Index]]