Security is one of the non-functional characteristics of a software product However, some security activities (such as login and logout) are considered functional and hence are counted by function points (FP) according to function point analysis (FPA).
The purpose of this document is to guide users of the International Function Point Users Group (IFPUG) methods to distinguish between the functional and the non-functional aspects of software security. It contains general guidelines as to what should be considered functional and what should be considered non-functional. It also presents case studies using the Software Non-functional Assessment Process (SNAP) methodology to size security non-functional requirements (NFRs).
The intended audience of this paper includes all levels of professionals who need to apply FPA and SNAP to measure software security requirements. Those who need to interpret and use the results of such measurements in the context of project estimating, planning and control also will find this paper of interest.
Sections 2-5 are oriented for all users.
Section 6 and following address the non-functional aspects of security and is oriented for SNAP users.
This section discusses the functional and non-functional aspects of the software in reference to the ISO definition of security requirements, the definition of the user, functional user requirements (FURs) and non-functional user requirements (NFRs).