R072. Set maximum response time


The response time with the maximum expected concurrence must be no more than 5 seconds.


Response time is a relevant measure of a system’s availability and adaptability to stress. It is also important when it comes to usability and reliance. For these reasons the response time must not surpass 5 seconds when the number of concurrent users reaches its peak.


  1. CWE-400: Uncontrolled Resource Consumption The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

  2. GDPR. Art. 32: Security of processing.(1)(c). The controller and the processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security, including the the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

  3. OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.4) Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy