# Security Requirements Engineering One-sentence definition: Write verifiable security requirements tied to risks, standards, and acceptance tests. ## Key Facts - Use concrete criteria (e.g., “TLS 1.2+ with AEAD; HSTS enabled”). - Traceability: requirement ↔ test case ↔ evidence in CI. - Include non-functional reqs: logging, rate limits, privacy, resilience. - Derive from threat modeling and data classification. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Spot vague vs testable requirements in questions. **Mnemonic:** “If you can’t **test** it, don’t **trust** it.” ## Mini Scenario Q: “Use strong encryption” appears—improve? A: Specify protocol, cipher suites, key lengths, and rejection rules. ## Revision Checklist - Two non-functional security requirements. - Traceability value. - Link to threat model. ## Related [[Threat Modeling for Developers (STRIDE DFD)]] · [[Secure Design Principles (Least Privilege Fail Safe Economy of Mechanism)]] · [[Secure Error Handling and Logging for Apps]] · [[Security Testing Strategy (Unit Integration E2E Fuzz)]] · [[Domain 8 - Index]]