072 – Set maximum response time

Summary

The response time with the maximum expected concurrence must be no more than 5 seconds.

Description

Response time is a relevant measure of a system's availability and adaptability to stress. It is also important when it comes to usability and reliance. For these reasons, the response time must not surpass 5 seconds when the number of concurrent users reaches its peak.

Supported In

Essential: True

Advanced: True

References

• CAPEC-125. Flooding
• CAPEC-130. Excessive allocation
• CWE-400. Uncontrolled resource consumption
• CWE-770. Allocation of resources without limits or throttling
• CWE-1325. Improperly controlled sequential memory allocation
• GDPR-32_1c. Security of processing
• AGILE-11. Best architectures, requirements, and designs
• HITRUST-01_u. Limitation of connection time
• IEC62443-RA-7_1. Denial of service protection
• WASC-A_07. Buffer overflow
• WASC-A_10. Denial of service
• ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)
• ISSAF-H_14_13. Network security - Intrusion detection (detection engine)
• ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)
• ASVS-11_1_2. Business logic security
• ASVS-11_1_3. Business logic security
• ASVS-11_1_4. Business logic security
• CASA-11_1_4. Business Logic Security
• OWASPAPI-API4. Lack of Resources & Rate Limiting
• OWASPLLM-LLM10:2025. Unbounded Consumption

Weaknesses

• 211 – Asymmetric denial of service - ReDoS
• 316 – Improper resource allocation - Buffer overflow
• 317 – Improper resource allocation - Memory leak
• 356 – Symmetric denial of service - SMTP
• 357 – Symmetric denial of service - FTP
• 423 – Inappropriate coding practices - System exit
• 002 – Asymmetric denial of service
• 003 – Symmetric denial of service
• 057 – Asymmetric denial of service - Content length
• 067 – Improper resource allocation

Last updated

2025/06/17