Security as an NFR encompasses authentication (who are you?), authorization (what can you do?), encryption (protecting data in transit and at rest), and threat modeling (proactively identifying attack surfaces). The STRIDE model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) provides a structured threat identification framework. Defense-in-depth means no single security control is a complete defense — the principle of least privilege, input validation, and network segmentation must all operate simultaneously. Modern systems use zero-trust architecture: never trust, always verify, regardless of network location.

Key Points

  • Authentication: prefer OAuth 2.0 + OIDC with short-lived JWTs (15-minute expiry) + refresh token rotation; never roll your own crypto or auth.
  • Authorization: RBAC (role-based) for coarse-grained, ABAC (attribute-based) for fine-grained; enforce at the service layer, not just the API gateway.
  • Encryption in transit: TLS 1.3 minimum, enforce HSTS, pin certificates in mobile apps; encryption at rest: AES-256 with KMS-managed keys.
  • SQL injection, XSS, SSRF, and IDOR remain the OWASP Top 10 staples — parameterized queries, Content-Security-Policy headers, and egress filtering address these.
  • Secrets management: never store credentials in code or environment variables in CI artifacts; use HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager.
  • Zero-trust network: mutual TLS (mTLS) between services, micro-segmentation, no implicit trust based on IP or VPN membership.
  • Supply chain security: pin dependency versions, run SCA (Snyk, Dependabot) in CI, sign container images with Cosign/Notary, enforce SBOM generation.
  • Penetration testing + bug bounty programs provide adversarial validation that automated scanners miss — schedule at minimum annually or after major architecture changes.

Real-World Example

The 2020 SolarWinds attack demonstrated supply chain compromise at scale — malicious code injected into a build pipeline was signed and distributed as a legitimate update to 18,000 organizations including US federal agencies. This drove adoption of SLSA (Supply chain Levels for Software Artifacts) and signed SBOMs as security NFRs in regulated industries.