Successful, quality software projects need to be able to rely on a
sufficient level of security in order to manage the technical, legal and business risks that arise from distributed development. The definition of a `sufficient´ level of security however, is typically only captured in implicit requirements that are rarely gathered in a methodological way. Such an unstructured approach makes the work of quality managers incredibly difficult and often forces developers to unwillingly operate in an unclear/undefined security state throughout the project. Ideally, security requirements are elicited in methodological manner enabling a structured storage, retrieval, or checking of requirements. In this paper we report on the experiences of applying a structured requirements elicitation method and list a set of gathered reference security requirements. The reported experiences were gathered in an industrial setting using the open source platform OpenCIT in cooperation with industry partners. The output of this work enables security and quality conscious stakeholders in a software project to draw from our experiencesand evaluate against a reference base line.