LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What security activities occur during the Requirements phase of SDL?

This is where you decide, before any code exists, what "secure enough" means — capture security/privacy requirements, name owners, and set the quality bar bugs must clear to ship.

Requirements is the cheapest place to influence security, because changing a goal on paper costs nothing. The phase achieves three things:

  • Pins down the security and privacy requirements while there's still freedom to choose architecture — the development team writes them down alongside the functional requirements.
  • Assigns accountability. A dedicated Security Advisor (an experienced security person, often outside the team) reviews the product plan and gives recommendations, and named security/privacy contacts are appointed so there's always someone responsible.
  • Sets the ground rules for tracking and triage. A bug-tracking system is mandated, and the team defines bug bars — the minimum acceptable security quality level. A bug bar is a fixed line drawn up front (e.g. "no remotely exploitable memory-corruption bugs may ship"); anything worse than the bar must be fixed before release, which stops teams from quietly waving through serious flaws under deadline pressure.

Why up front: agreeing the bar before development means security decisions are made calmly by policy, not in a panic the week before launch.

From Quiz: SPRG / SDL and Threat Modeling | Updated: Jun 20, 2026