The danger is when you keep score of the wrong thing because it's easy or precise.The requirements for our products should be testable and measurable. When a prospective customer tells us the competitor's product is not secure enough and needs registration and log-in functionality, part of understanding what the prospective customer means is to determine how to measure security.
Your product manager may opt for specifications that are less challenging to measure. Rather than specify security metrics, for example, she may instead punt and simply specify the product will include registration and log-in functionality as the prospective customer requested. But doing so doesn't capture the problem the prospective customer is really trying to solve. What does it mean for the product to be secure?
- What information is problematic for an unauthorized user to access?
- What functionality is dangerous for an unauthorized user to employ?
- What are the characteristics of an authorized user?