Security Requirements
What is Security Requirements?
Security RequirementsExplicit, testable statements of what a system must and must not do to protect confidentiality, integrity, availability and privacy.
Security requirements translate threats, regulations and risk decisions into engineering-ready statements such as 'passwords must be stored using Argon2id with parameters X' or 'all admin endpoints require step-up MFA'. They cover functional security (authentication, authorization, logging) and non-functional properties (cryptographic strength, data retention, resilience). Frameworks like the OWASP ASVS, NIST SP 800-53 or PCI DSS provide catalogues that can be tailored to a product. Capturing them early in the SDLC — driven by threat modeling, abuse and misuse cases — makes security verifiable through code review, SAST, DAST and acceptance tests.
● Examples
- 01
ASVS V2.1.1: applications must enforce a minimum password length of 12 characters.
- 02
Requirement: all PII fields must be encrypted at rest with a customer-managed key.
● Frequently asked questions
What is Security Requirements?
Explicit, testable statements of what a system must and must not do to protect confidentiality, integrity, availability and privacy. It belongs to the Application Security category of cybersecurity.
What does Security Requirements mean?
Explicit, testable statements of what a system must and must not do to protect confidentiality, integrity, availability and privacy.
How do you defend against Security Requirements?
Defences for Security Requirements typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Security Requirements?
Common alternative names include: Secure requirements, AppSec requirements.