Loading learning content...
In 2017, Equifax disclosed a breach affecting 147 million people—nearly half the US population. The root cause? An unpatched Apache Struts vulnerability that had been public for two months. The breach cost Equifax over $700 million in settlements, created years of remediation work, and irrevocably damaged trust.
Security breaches rarely originate from sophisticated nation-state attacks. They come from overlooked patches, misconfigured cloud buckets, weak passwords, inadequate access controls, and a thousand small failures that seemed unimportant until they weren't.
Security requirements define the protective measures your system must implement. Unlike other non-functional requirements where trade-offs are routine, security failures are often binary: the wall holds or it doesn't. Getting security requirements right isn't about optimization—it's about survival.
By the end of this page, you will master the framework for defining security requirements: authentication mechanisms, authorization models, data protection strategies, encryption specifications, network security controls, and compliance requirements that your system must meet.
Security requirements are grounded in fundamental security properties. Understanding these foundations enables precise requirement specification.
The CIA Triad:
The classic security model defines three core properties:
Confidentiality: Information is accessible only to authorized parties. Prevents unauthorized disclosure. Violated when data is exposed to wrong parties.
Integrity: Information is accurate, complete, and unaltered by unauthorized parties. Violated when data is modified, corrupted, or fabricated.
Availability: Information and systems are accessible when needed by authorized parties. (This overlaps with availability requirements but has a security dimension: preventing denial-of-service.)
| Property | Definition | Requirement Example |
|---|---|---|
| Confidentiality | Only authorized access to information | Personal data accessible only to data owner and support with consent |
| Integrity | Data is accurate and unmodified | Transaction records are immutable once committed |
| Availability | System is accessible when needed | Service maintains 99.9% availability under DDoS attack |
| Authentication | Verify identity of users/systems | Multi-factor authentication for administrative access |
| Authorization | Control what authenticated parties can do | Role-based access with least-privilege principle |
| Non-repudiation | Parties cannot deny their actions | All administrative actions are logged with signed audit trail |
| Accountability | Actions traceable to responsible party | Every data modification linked to authenticated user |
Defense in Depth:
No single security control is sufficient. Security requirements should specify multiple layers:
┌─────────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────────┤
│ Perimeter │ Firewalls, WAF, DDoS protection │
├─────────────────────────────────────────────────────────────────┤
│ Network │ VPC, network segmentation, private subnets │
├─────────────────────────────────────────────────────────────────┤
│ Transport │ TLS/mTLS, certificate management │
├─────────────────────────────────────────────────────────────────┤
│ Application │ Authentication, authorization, input validation│
├─────────────────────────────────────────────────────────────────┤
│ Data │ Encryption at rest, field-level encryption │
├─────────────────────────────────────────────────────────────────┤
│ Operational │ Logging, monitoring, incident response │
└─────────────────────────────────────────────────────────────────┘
Each layer provides protection even if another layer fails. Requirements should address each layer.
Unlike performance requirements where 'good enough' is often acceptable, security requirements often have hard thresholds. 'Passwords stored in plaintext' isn't a trade-off—it's a failure. Specify security requirements as MUST/SHALL statements, not targets.
Authentication verifies that users and systems are who they claim to be. Strong authentication requirements are the first line of defense.
Authentication Factors:
| Factor | What It Proves | Examples |
|---|---|---|
| Something you know | User possesses secret knowledge | Password, PIN, security question |
| Something you have | User possesses physical item | Phone (TOTP), hardware key (FIDO2) |
| Something you are | User has biometric characteristic | Fingerprint, face scan, voice |
| Somewhere you are | User is at known location | Geofenced access, IP allowlist |
| Something you do | User has behavioral pattern | Typing pattern, usage pattern |
Multi-Factor Authentication (MFA):
MFA combines two or more factors. Requirements should specify when MFA is required:
12345678910111213141516171819202122232425262728293031323334353637383940414243
# Authentication Requirements Specification ## Password Requirements- Minimum length: 12 characters- Complexity: At least 3 of: uppercase, lowercase, digit, special character- Prohibitions: Common passwords (10,000 most common), username/email variations- Storage: Argon2id with min 19456 KiB memory, 2 iterations- History: Prevent reuse of last 12 passwords- Expiration: Optional (NIST 800-63 guidance); forced rotation on compromise ## Multi-Factor Authentication ### MFA Required (Mandatory)- Administrative access to any system- Access to production environments- Access to customer personal data- Financial transaction authorization above $10,000- Password reset or account recovery- API key management ### MFA Encouraged (Soft Prompt)- Standard user login (prompt but don't require)- Access from new device or location- After 30 days without MFA use ### Supported MFA Methods- Primary: TOTP authenticator apps (RFC 6238)- Secondary: WebAuthn/FIDO2 hardware keys- Fallback: SMS (only for recovery, not primary)- Not supported: Email-based OTP (insufficient security) ## Session Management- Session timeout (idle): 30 minutes for web, 24 hours for mobile- Absolute timeout: 12 hours for web, 30 days for mobile- Re-authentication: Required for sensitive operations- Concurrent sessions: Limit to 5 per user; alert on >3- Session binding: Bind to IP range and user-agent fingerprint ## Service-to-Service Authentication- All internal services: mTLS with certificate validation- Certificate rotation: Every 90 days, automated- API keys: SHA-256 hashed, rotatable by service owner- JWT tokens: RS256 or ES256, 15-minute maximum lifetimeFederated Identity and SSO:
For systems that integrate with external identity providers:
Federated Authentication Requirements:
1. Enterprise SSO
- Protocol: SAML 2.0 or OpenID Connect
- Providers: Okta, Azure AD, Google Workspace
- Just-in-time provisioning: Create accounts on first SSO login
- Attribute mapping: Map IdP groups to internal roles
2. Social Login
- Supported: Google, Apple, Microsoft
- Not supported: Facebook (data practices), Twitter (API stability)
- Scope: Request minimum necessary (email, profile)
- Fallback: Email/password for users without social accounts
3. API Authentication
- OAuth 2.0 with PKCE for user-delegated access
- API keys for server-to-server long-lived access
- JWT bearer tokens for short-lived access
- Token introspection: Validate tokens with issuer
Consider specifying passwordless options: 'The system shall support WebAuthn/FIDO2 for passwordless authentication by [date]. Users shall be prompted to register passkeys after successful password login.' Passwordless authentication is more secure and has better UX.
Authorization determines what authenticated users can do. The principle of least privilege—granting minimum necessary access—underpins all authorization requirements.
Authorization Models:
| Model | Description | Best For | Complexity |
|---|---|---|---|
| RBAC (Role-Based) | Users assigned roles; roles have permissions | Clear organizational hierarchies | Low-Medium |
| ABAC (Attribute-Based) | Decisions based on user/resource/context attributes | Complex, dynamic access rules | High |
| ReBAC (Relationship-Based) | Decisions based on relationships between entities | Social graphs, hierarchical data | Medium-High |
| ACL (Access Control List) | Per-resource lists of who can access | Simple per-object permissions | Low |
| PBAC (Policy-Based) | Centralized policies evaluated at runtime | Enterprise compliance, auditing | High |
Authorization Requirements Specification:
Authorization Requirements:
1. Access Control Model
- Primary model: RBAC with ABAC extensions
- Roles defined: Admin, Manager, Member, Viewer, API
- Attributes for context: IP range, time of day, risk score
- Relationship-based: Resource ownership, team membership
2. Role Definitions
Admin:
- All CRUD operations on all resources
- User management (except cannot modify own permissions)
- System configuration
- Audit log access
Require: MFA, approval workflow for creation
Manager:
- CRUD on resources within their department
- Read access to cross-department resources
- Approve member-level requests
Require: MFA for write operations
Member:
- CRUD on self-owned resources
- Read access to shared resources
- Cannot modify other users
Viewer:
- Read-only access to specified resources
- No export capability (data loss prevention)
3. Permission Granularity
- Actions: Create, Read, Update, Delete, Export, Share, Admin
- Resources: Users, Documents, Projects, Teams, Settings
- Scopes: Global, Organization, Team, Self-owned
4. Least Privilege Enforcement
- Default: No access (explicit grant required)
- Access review: Quarterly review of all elevated permissions
- Temporary elevation: Time-boxed access with automatic revocation
- Separation of duties: Critical operations require 2-person approval
Over time, users accumulate permissions they no longer need. Require: 'Access reviews shall be conducted quarterly. Permissions unused for 90 days shall be flagged for removal. Managers shall justify continued access or permissions are revoked.'
Data protection requirements specify how sensitive data is secured throughout its lifecycle—in transit, at rest, and in use.
Data Classification:
Before specifying protection requirements, classify data by sensitivity:
| Classification | Examples | Protection Level |
|---|---|---|
| Public | Marketing content, public API docs | Integrity protection only |
| Internal | Internal docs, general business data | Encryption in transit |
| Confidential | Financial data, strategic plans | Encryption at rest + in transit |
| Sensitive/PII | Customer names, emails, addresses | Strong encryption, access controls |
| Highly Sensitive | SSN, payment cards, health records | Field-level encryption, audit logging |
| Secret | Encryption keys, credentials | Hardware security modules (HSM) |
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
# Data Protection Requirements Specification ## Encryption in Transit ### External Traffic- Protocol: TLS 1.3 required; TLS 1.2 accepted with strong ciphers- Cipher suites: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305- Certificate: RSA 2048-bit minimum, EC P-256 preferred- Certificate management: Automated renewal via Let's Encrypt or AWS ACM- HSTS: Enabled with min 1 year, include subdomains, preload ### Internal Traffic- All service-to-service: mTLS required- Database connections: TLS required, certificate verification enabled- Cache connections: TLS required (Redis TLS, Memcached with stunnel)- Message queues: TLS required for broker connections ## Encryption at Rest ### Storage Encryption- Database: AES-256-GCM, envelope encryption with KMS-managed keys- Object storage (S3): SSE-KMS with customer-managed keys- Block storage (EBS): AES-256, per-volume keys- Backups: Encrypted with separate backup keys ### Field-Level Encryption (Highly Sensitive Data)- Social Security Numbers: Encrypted at application layer, never logged- Payment card numbers: Tokenized via PCI-compliant provider- Health records: Encrypted with segment-specific keys- Encryption algorithm: AES-256-GCM with authenticated encryption ### Key Management- Key storage: AWS KMS or HashiCorp Vault (FIPS 140-2 Level 3)- Key rotation: Annual for master keys, 90 days for data keys- Key access: Logged and audited, minimum personnel- Key backup: Encrypted backup in separate region ## Data Minimization- Collect: Only data necessary for stated purpose- Retain: Define retention period per data type- Delete: Cryptographic deletion after retention period- Anonymize: Use anonymized data for analytics where possible ## Data Residency- EU customer data: Must remain in EU regions- Financial data: Replicated only within same regulatory zone- Cross-border transfers: Require legal basis and encryptionPrivacy Requirements (GDPR/CCPA):
Privacy Requirements:
1. Data Subject Rights
- Right to access: Export user's data within 30 days of request
- Right to rectification: Allow users to correct their data
- Right to erasure: Delete user data within 30 days of request
- Right to portability: Provide data in machine-readable format
- Right to object: Allow opt-out of processing for marketing
2. Consent Management
- Consent records: Track what user consented to and when
- Consent withdrawal: Process withdrawal within 24 hours
- Granular consent: Separate consent for different purposes
- No dark patterns: Consent must be freely given, not coerced
3. Privacy by Design
- Default to privacy: Most restrictive settings by default
- Data mapping: Maintain inventory of where personal data exists
- Impact assessments: DPIA for new features processing PII
Modern infrastructure should encrypt everything by default. The requirement isn't 'encrypt sensitive data' but rather 'justify any data that is NOT encrypted.' Cloud providers make at-rest encryption free and automatic—there's no reason not to use it.
Network security requirements define how the system is protected at the network layer, controlling traffic flow and preventing unauthorized access.
Network Security Architecture:
| Layer | Control | Implementation | Requirement |
|---|---|---|---|
| Edge | DDoS Protection | AWS Shield, Cloudflare | Mitigate L3/L4 attacks, absorb L7 attacks up to 10M RPS |
| Edge | WAF | AWS WAF, Cloudflare WAF | Block OWASP Top 10, rate limiting per IP |
| Perimeter | Firewall | Security groups, NACLs | Deny all inbound except explicit allow |
| Network | VPC | Private subnets | Databases in private subnets, no public IP |
| Network | Segmentation | Separate subnets | Web tier, app tier, data tier isolation |
| Service | Service mesh | Istio, Linkerd | mTLS between all services |
| Application | API Gateway | Kong, AWS API Gateway | Authentication, rate limiting, request validation |
Network Security Requirements Specification:
Network Security Requirements:
1. Network Architecture
- VPC design: Public, private, and isolated subnets
- Internet exposure: Only load balancers in public subnets
- Database access: Private subnet only, no public IP
- NAT gateway: Outbound internet for private resources
2. Traffic Control
- Default inbound: Deny all
- Allowed inbound: HTTPS (443), explicit service ports
- SSH/RDP: Disabled for public access; use bastion or SSM
- Inter-service: Explicit security group rules per service pair
3. DDoS Protection
- L3/L4 protection: Automatic via AWS Shield Standard
- L7 protection: WAF with rate limiting (1000 req/s per IP)
- Alert threshold: Alert if traffic exceeds 10x normal baseline
- Mitigation: Automatic for known patterns, on-call for novel attacks
4. Web Application Firewall Rules
- OWASP Core Rule Set: Enabled (SQL injection, XSS, etc.)
- Rate limiting: 100 requests/second per IP to any single endpoint
- Geographic blocking: Block high-risk countries if not serving them
- Bot protection: Block known bad bots, challenge suspicious UA
5. API Security
- Rate limiting: Per-key limits, burst handling
- Request validation: Schema validation at gateway
- Response filtering: Strip internal headers, hide server info
- Payload limits: Maximum 10 MB request body
Modern security requirements should embrace Zero Trust: 'Trust no network location. All service-to-service communication shall be authenticated and authorized regardless of network origin. Internal services receive no implicit trust from being 'inside' the network.'
Security doesn't end at prevention. Detection and response capabilities are equally critical. Requirements must specify what is logged, how it's monitored, and how incidents are handled.
Security Logging Requirements:
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
# Security Monitoring and Incident Response Requirements ## Logging Specifications- Log format: Structured JSON with standard fields- Required fields: timestamp, user_id, session_id, action, resource, source_ip, user_agent, status, duration- Sensitive data: NEVER log passwords, tokens, keys, or PII values (log references like user_id, not actual data)- Tamper protection: Logs shipped to immutable storage (S3 with Object Lock)- Retention: 90 days hot, 1 year warm, 7 years cold (compliance) ## Monitoring and Alerting ### Real-Time Alerts (Page On-Call)- 5+ failed login attempts for same user in 5 minutes- Successful login from new country for user- Access to sensitive data outside business hours- Administrative action without corresponding ticket- Any detected SQL injection, XSS, or path traversal ### Near-Real-Time Alerts (Notify Security Team)- Spike in 403/401 errors (3x baseline)- New user granted admin permissions- Bulk data export initiated- API key created or rotated- Unusual data access patterns (ML anomaly detection) ### Daily Reports- Summary of failed authentication attempts- New elevated permissions granted- Data access patterns for sensitive resources- Compliance checklist status ## Incident Response Requirements ### Detection SLA- Critical incidents (breach in progress): Detect within 15 minutes- High (potential breach, anomaly): Detect within 1 hour- Medium (policy violation): Detect within 24 hours ### Response SLA- Critical: Incident commander engaged within 15 minutes- High: Security team reviewing within 1 hour- Medium: Addressed within 24 hours ### Incident Handling- Contain: Isolate affected systems within 30 minutes of detection- Eradicate: Remove threat, patch vulnerability within [based on severity]- Recover: Restore service from known-good state- Learn: Conduct post-incident review within 5 business days ### Breach Notification- Internal notification: Within 1 hour of confirmed breach- Executive notification: Within 4 hours- Regulatory notification: Within 72 hours (GDPR)- Customer notification: Within timeframe required by regulationLogs containing sensitive data become a breach target themselves. Specify: 'Security logs shall never contain: passwords, API keys, session tokens, full credit card numbers, social security numbers, or personal health information. Masked references (last 4 digits, user_id) shall be used instead.'
Security requirements often originate from regulatory and compliance frameworks. Understanding applicable regulations is essential for complete requirement specification.
Common Compliance Frameworks:
| Framework | Domain | Key Requirements | Applies To |
|---|---|---|---|
| PCI DSS | Payment cards | Encryption, network security, access control, logging | Any system handling card data |
| HIPAA | Healthcare | Privacy, encryption, audit trails, breach notification | Systems with protected health info |
| GDPR | EU privacy | Consent, data rights, breach notification, DPO | Any system with EU user data |
| CCPA | CA privacy | Privacy disclosure, opt-out, data access | Companies serving CA residents |
| SOC 2 | Service orgs | Security, availability, processing integrity | B2B SaaS, cloud services |
| SOX | Financial | Internal controls, data integrity, audit trails | Public companies |
| FedRAMP | US Government | NIST 800-53 controls, continuous monitoring | Cloud services for US Gov |
Compliance Requirements Specification:
Compliance Requirements:
1. Applicable Frameworks
- PCI DSS: System processes payment card data
- GDPR: System stores EU customer data
- SOC 2 Type II: Required by enterprise customers
2. PCI DSS Requirements
- Scope: Payment processing and stored card data
- Network segmentation: Card data environment (CDE) isolated
- Encryption: TLS 1.2+ for transit, AES-256 for storage
- Access: MFA for CDE access, quarterly access reviews
- Logging: 1 year retention, daily log review
- Vulnerability scanning: Quarterly ASV scans
- Penetration testing: Annual, after significant changes
3. GDPR Requirements
- Lawful basis: Document legal basis for each processing activity
- Consent: Affirmative consent for marketing, granular options
- Data subject rights: Implement access, portability, erasure
- Cross-border: Standard contractual clauses for non-EU transfers
- DPIA: Conduct for new features involving personal data
- DPO: Appointed, contact details published
- Breach notification: Process to notify within 72 hours
4. SOC 2 Requirements
- Security: Access controls, encryption, monitoring
- Availability: Uptime SLAs, disaster recovery, incident response
- Audit evidence: All controls documented, evidence collected
- Third-party auditor: Annual Type II audit
5. Certification Timeline
- SOC 2 Type I: Complete by [date]
- SOC 2 Type II: Complete by [date + 6 months]
- PCI DSS: Compliance by [date]
- Annual recertification: Ongoing
Regulatory requirements represent minimum acceptable security. Your requirements should aim higher: 'While PCI DSS requires TLS 1.2, this system shall require TLS 1.3 as the minimum. Compliance represents the floor, not the ceiling.'
We have covered the complete framework for security requirements. Let's consolidate the essential takeaways:
Module Complete:
With security requirements, we have completed the comprehensive exploration of non-functional requirements. You now have frameworks for specifying:
These five dimensions form the foundation upon which all architectural decisions rest. A system designed without clear non-functional requirements is a system designed for failure—not because it doesn't work, but because it can't verify that it works the way it needs to.
You have mastered the complete framework for defining non-functional requirements. These specifications—scalability, availability, latency, consistency, and security—form the quality attributes that distinguish systems that merely function from systems that excel. Every architectural decision in subsequent system design work should trace back to these non-functional requirements.