DE
Here you will find all tactics for the quality characteristic Security.
Confidentiality
Encryption
Encrypt data during transmission and storage
Security
Tactics (77)
Authenticity
Authentication
Verify the identity of users and systems
Authenticity, Integrity
Two-Factor Authentication
Verify identity using two independent factors
Integrity, Confidentiality
Authorization
Control access to resources based on permissions
Confidentiality
Also supports: Integrity, Analyzability
Authorization Concept
Define access rules for critical data and functions
Confidentiality
Also supports: Analyzability
Role-Based Access Control
Control access to application components based on roles
Integrity
Also supports: Availability
Least Privilege
Equip users and processes with only the minimal necessary rights
Accountability
Logging and Monitoring
Log and monitor security-related events
Integrity
Input Validation
Validate all inputs from users and external systems
Authenticity, Integrity
Secure Session Management
Manage sessions based on random, time-limited ids
Integrity
Also supports: Availability
Secure Configuration
Deliver and operate systems with secure default settings
Confidentiality
Security Community
Promote secure software design through exchange with experts and peers
Integrity, Confidentiality
Also supports: Availability
Security Policies for Users
Define mandatory rules for the secure usage of applications
Integrity
Also supports: Availability
Security Policies for Development
Define mandatory rules for secure software development
Integrity, Confidentiality
Also supports: Availability
Security Training
Provide structured, role-specific courses that build deep security expertise
Integrity, Confidentiality
Also supports: Availability
Raising User Awareness
Deliver continuous lightweight nudges that keep security top-of-mind
Integrity
Also supports: Availability
Network Segmentation
Divide the network into security zones with separate trust levels
Integrity
Also supports: Availability
Secure Software Development
Establish security as an integral part of the development process
Integrity
Also supports: Availability
Security by Design
Consider security already in the design of the architecture and implementation
Confidentiality, Integrity
Security Frameworks
Apply structured frameworks to assess and mitigate security risks
Confidentiality, Integrity
Security Certification
Introduce a structured framework for assessing and improving security practices
Integrity, Confidentiality
Also supports: Availability
Security Audits
Regularly check systems and processes for security
Integrity, Confidentiality
Also supports: Availability
Risk Analysis
Identify, assess, and address security risks systematically
Integrity, Accountability
Also supports: Availability
Incident Response Measures
Establish processes and tools for responding to security incidents
Integrity
Also supports: Availability
Backup and Recovery
Ensure regular backup and recoverability of data
Integrity, Authenticity
Also supports: Availability
Secure Protocols
Use only secure and current versions of network protocols
Confidentiality
Also supports: Appropriateness, Correctness, Time-behaviour
Datensparsamkeit
Only collect and store personal data that is necessary for the purpose
Integrity, Confidentiality
Also supports: Availability
Security Tests
Verify security properties through specialized testing methods
Integrity
Also supports: Availability
Threat Intelligence
Collect and analyze information about current threats and attacks
Integrity, Confidentiality
Also supports: Availability
Red Teaming
Conduct comprehensive and realistic attacks on your own systems
Integrity
Also supports: Availability
Security Architecture Analysis
Examine architecture and design for conceptual security gaps
Non-repudiation
Digital Forensics
Establish methods for investigating security incidents and crimes
Integrity
Also supports: Availability
Honeypots
Deploy specially secured decoy systems as bait for attackers
Integrity, Confidentiality
Also supports: Availability
Security Metrics
Define, collect, and evaluate metrics to quantify the security status
Integrity, Confidentiality
Also supports: Availability
Threat Modeling
Conduct systematic analysis of threats, attackers, and countermeasures
Integrity, Confidentiality
Also supports: Availability
Abuse Case Definition
Describe undesirable use cases from an attacker's perspective
Integrity, Confidentiality
Also supports: Availability
Security Requirements Definition
Elicit and document specific requirements for information security
Integrity
Also supports: Availability
Secure by Default
Align default settings and delivery state for maximum security
Integrity, Confidentiality
Also supports: Availability
Trust Boundaries
Define boundaries between systems and components with different trust levels
Integrity, Confidentiality
Data Flow Control
Control and filter data flows between components and systems
Confidentiality, Integrity, Authenticity
Cryptographic Methods
Use proven and standardized algorithms and protocols for cryptographic functions
Confidentiality, Integrity, Authenticity
Key Management
Establish procedures for the secure generation, distribution, and storage of cryptographic keys
Integrity
Also supports: Availability
Secure Coding Guidelines
Define mandatory rules and best practices for secure programming
Integrity
Also supports: Availability
Static Code Analysis
Automatically check source code for programming errors and security vulnerabilities
Integrity
Also supports: Availability
Dynamic Code Analysis
Test security properties by executing and observing program behavior
Integrity
Also supports: Availability
Secure Programming Interfaces
Use libraries and frameworks with built-in security features
Integrity
Also supports: Availability
Prepared Statements
Use parameterized queries to prevent SQL injection
Integrity
Also supports: Availability
Output Encoding
Mask outputs to prevent injection attacks
Integrity
Also supports: Availability
Canonicalization
Transform input data into a canonical representation
Integrity
Also supports: Availability
Fuzz-Testing
Feed randomly generated input data to expose unexpected behavior
Integrity
Also supports: Availability
Negative Testing
Deliberately test invalid inputs and edge cases to check error handling
Integrity
Also supports: Confidentiality, Non-repudiation
Security Regression Tests
Retest previously fixed security vulnerabilities to prevent their recurrence
Integrity, Confidentiality
Also supports: Availability
Security Tests by External Parties
Engage independent security experts to test the application
Integrity, Confidentiality
Also supports: Availability
Penetration Tests
Uncover security vulnerabilities through simulated attacks
Integrity, Confidentiality
Also supports: Availability
System Hardening
Improve the security state of systems and components
Integrity, Confidentiality
Also supports: Availability
Patch Management
Apply security updates and patches promptly
Integrity, Confidentiality
Also supports: Availability
Defense Lines
Implement security mechanisms in multiple layers and levels
Integrity
Also supports: Availability
Malware Protection
Detect and defend against malware through technical measures
Accountability
Also supports: Availability
Security Monitoring
Continuously capture and analyze security-relevant events and data
Integrity
Also supports: Non-repudiation, Authenticity
Endpoint Detection and Response
Monitor endpoints continuously for threats in real-time
Integrity
Also supports: Availability
Vulnerability Scans
Regularly check systems and applications for known vulnerabilities
Integrity
Also supports: Availability
Third-Party Dependency Check
Regularly review dependencies on external software
Integrity, Accountability
Also supports: Availability
Configuration Checks
Document and regularly review security-relevant settings
Integrity
Also supports: Availability
Emergency Drills
Train incident response behavior and test emergency processes
Confidentiality
Also supports: Availability
Physical Security
Protect IT infrastructure through structural and organizational measures
Integrity, Confidentiality
Also supports: Availability
Security Culture
Embed security as a shared value within the organization
Confidentiality, Authenticity
Also supports: Integrity
Zero Trust Architecture
Verify every request regardless of origin or network location
Confidentiality, Integrity
Also supports: Authenticity
API Security
Secure APIs through rate limiting, schema validation, and authentication
Confidentiality, Integrity
Secret Management
Manage application secrets using dedicated vaults and rotation policies
Authenticity, Integrity
Also supports: Non-repudiation
Certificate Management
Manage X.509 certificate lifecycles including revocation and pinning
Non-repudiation, Integrity
Also supports: Authenticity
Digital Signatures
Apply cryptographic signatures for code signing and document verification
Authenticity
Also supports: Accountability
Federated Identity (OAuth/OIDC)
Delegate authentication to trusted external identity providers
Confidentiality
Also supports: Accountability
Privacy by Design
Embed privacy protection into system architecture from inception
Integrity, Confidentiality
Also supports: Availability
Web Application Firewall
Filter HTTP traffic at the application layer against web attacks
Integrity, Authenticity
Supply Chain Security
Secure the software supply chain through SBOMs and provenance checks
Non-repudiation, Accountability
Audit Trail Management
Maintain tamper-proof, cryptographically chained audit records