How to Gather Requirements

I was interviewing recently for a new company when I got the question regarding how I would gather the requirements for a new project. Unfortunately I stuttered a bit on this question and I think as such I performed badly on the interview. This would have been easier for me to answer in essay form. So to be better prepared next time I figured why not write down some thoughts and experiences for myself around the topic of requirement-gathering. That way next time I have an interview with a similar question, or maybe I need to be a bit better organized for a project, I'm better prepared and have some material to reference.

Maybe I'll update this post in the future.

Scope of the project

I'm lazy and inherently don't like these types of formal processes. It often feels like bureaucracy, with too many people involved and too many meetings. So I think before you start this boring process you should really consider if it's worth it in the first place. For small projects I would argue against it, or at least doing something less involved and quick.

Categorization of Requirements


- Target Audience


  • How many people will use this application?
  • How often will they use it? or how much data/connections does it require? Think e.g. streaming 4K vides vs reading static text.
  • How much data do we need to store?


Basic questions that depends on your country.

  • Are we even allowed to do this?
  • How long should we store X data? Are there any rules around how we should store Y data? (e.g. credit card info, healthcare data)

User Stories



Threat Modeling

If the project is security or privacy sensitive, I would definitely take a threat modeling approach.

I'm far from an expert on the topic, but I've at least read most of a book on the topic. I also sort-of-maybe did some sort of threat modeling for my master thesis. This is my understanding of it. In reality this is much more detailed but this is my handwavy explanation.

To explain in brief: You want to determine what actors may try to hack you (the threat actors) and the capabilities they have, i.e. what type of exploits or attacks they can use on your system. With these in hand, you can now model the components of the system specifically to counter against these specific attacks. You can motivate that your system is secure by way of not being vulnerable against the types of attacks you list in your model.

As an example, you could say that one threat could be a malicious actor on the same WiFi; lets say at a coffeeshop. The WiFi is out of your control, and as such may be the worst secured network in the world, but you have say a mobile app that should communicate with some backend service. The attacker could then do a variety of attacks, such as a MITM attack on the traffic between the mobile app and the backend. With this in mind, we can now take this into account and model in a pinned SSL connections, we can then say that it "counters" the MITM attack. The