Quiz Entry - updated: 2026.07.14
How do you write a testable security requirement using the modal verb template?
Fill the template [WHEN condition] THE SYSTEM SHALL/SHOULD/MAY <verb> [WITH <details>] <object> with measurable criteria, so the requirement can be checked by a test case.
Examples — from vague to testable:
| Bad requirement | Good requirement |
|---|---|
| "The system should be secure" | "The system SHALL hash all passwords using bcrypt with a minimum cost factor of 12" |
| "Sessions should timeout" | "WHEN a user is inactive for 30 minutes, THE SYSTEM SHALL invalidate the session and redirect to the login page" |
| "Use encryption" | "The system SHALL encrypt all data in transit using TLS 1.2 or higher WITH certificate pinning for mobile clients" |
| "Prevent brute force" | "WHEN 5 failed login attempts occur within 10 minutes, THE SYSTEM SHALL lock the account for 15 minutes AND log the event" |
Checklist for a testable security requirement:
- Uses modal verb (SHALL/SHOULD/MAY) to indicate obligation level
- Specifies measurable criteria (numbers, algorithms, timeouts)
- Defines trigger conditions (WHEN...)
- States expected system behavior (action + details)
- Can be verified in a test case
Go deeper:
RFC 2119 — Key words for requirement levels — the precise meaning of MUST/SHALL/SHOULD/MAY that keeps a requirement's obligation level unambiguous and testable.