Summary

The response time with the maximum expected concurrence must be no more than 5 seconds.

Description

Response time is a relevant measure of a system's availability and adaptability to stress. It is also important when it comes to usability and reliance. For these reasons, the response time must not surpass 5 seconds when the number of concurrent users reaches its peak.

References

• CAPEC-125. Flooding
• CAPEC-130. Excessive allocation
• CWE-400. Uncontrolled resource consumption
• CWE-770. Allocation of resources without limits or throttling
• CWE-1325. Improperly controlled sequential memory allocation
• GDPR-32_1c. Security of processing
• AGILE-11. Best architectures, requirements, and designs
• HITRUST-01_u. Limitation of connection time
• IEC62443-RA-7_1. Denial of service protection
• WASC-A_07. Buffer overflow
• WASC-A_10. Denial of service
• ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)
• ISSAF-H_14_13. Network security - Intrusion detection (detection engine)
• ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)
• ASVS-11_1_2. Business logic security
• ASVS-11_1_3. Business logic security
• ASVS-11_1_4. Business logic security
• CASA-11_1_4. Business Logic Security
• OWASPAPI-API4. Lack of Resources & Rate Limiting
• OWASPLLM-LLM10:2025. Unbounded Consumption

Weaknesses

• 002. Asymmetric denial of service
• 003. Symmetric denial of service
• 057. Asymmetric denial of service - Content length
• 067. Improper resource allocation
• 211. Asymmetric denial of service - ReDoS
• 316. Improper resource allocation - Buffer overflow
• 317. Improper resource allocation - Memory leak
• 356. Symmetric denial of service - SMTP
• 357. Symmetric denial of service - FTP
• 423. Inappropriate coding practices - System exit