Security is widely recognized as a non-functional characteristic of software. However, certain security-related features (like login and logout) are considered functional and hence are counted by Function Points (FP) according to Function Point Analysis (FPA).
The purpose of this document is to guide users of the International Function Point Users Group (IFPUG) methods to distinguish between the functional and the non-functional aspects of software security. It contains general guidelines as to what should be considered functional and what should be considered non-functional.
Moreover, it also presents case studies using the Software Non-functional Assessment Process (SNAP) methodology to size security non-functional requirements (NFRs).
Whether you’re applying FPA or SNAP to assess software security, or interpreting the results for project estimation, planning, or management, this paper is meant for you. It’s tailored to professionals at all levels who deal with software measurement.
- Sections 2–5 are relevant for all users.
- Section 6 and beyond take a deeper dive into the non-functional side of security, focusing on SNAP.
This section discusses the functional and non-functional aspects of the software in reference to the ISO definition of security requirements, the definition of the user, functional user requirements (FURs) and non-functional user requirements (NFRs).