Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 1 year ago.
Improve this question
I have to write the "assumptions" part of a pentest report and I am having trouble understanding what I should write. I checked multiple pentest reports (from https://github.com/juliocesarfort/public-pentesting-reports) but none of them had this paragraph. Also I found this explanation "In case there are some assumptions that the pen-tester considers before or during the test, the assumptions need to be clearly shown in the report. Providing the assumption will help the report audiences to understand why penetration testing followed a specific direction.", but still what I do have in mind it is more suited for "attack narative".
Can you provide me a small example (for one action, situation) so I can see exactly how it should be written?
I would think the "assumptions" paragraph and the "Attack narrative" paragraph are somehow overlapping. I would use the "Assumptions" paragraph to state a couple of high level decisions made before starting the attack, with whatever little information the pentester would have on the attack. I would expand on the tools and techniques used in the "Attack narrative" paragraph
For example an assumption could be:
"The pentester is carrying on the exercise against the infrastructure of a soho company with less than 5 people It is common for soho companies to use consumer networking equipment that is usually unsecure, and left configured as defualt. For this reason the attacker focused on scanning for http and ssh using a database of vendors default username and passwords"
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
For a beginner hobbyist, it seems fairly common to create everything in the order it will be viewed by the user, regardless of its importance, and to intertwine back-end and front-end development.
Obviously, this isn't the most efficient method and would probably be avoided by more experienced developers. I've been exploring different ways to order software development, but I'd like to know if there's a standard that's widely accepted or recommended by the industry.
That is what software development processes are for.
Thing is: there are many different processes; thus there are many different answers to your question.
In 2017, most organisations use processes around the "agile" mindset (or they try to get there), thus your first stop could be Agile software development.
And to give a direct answer to your question:
when you start an agile project, you simply don't know about "all the things the user will view"
instead, you collect requirements
you translate requirements into "user stories"
then the development team and the users (or user representatives) decide on the priority of those user stories
and then, during the development iterations (sprints) a subset of the "most important" user stories is implemented
The key part here: requirements and their priorities are subject to change. The idea to collect everything upfront, to then define an order over all items is simply rejected nowadays.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I know what is "use case", but I haven't any idea about "E2E" in this context.
What does "E2E use case" mean?
It should be "End to End" Use Case.
As Emil said it means End to End.
As with most terminology it can mean different things from company to company. So always ask your group to explain what they mean with this word.
For me an "End to end use-case" means a list of steps that follow the full process from beginning to end. For example buying some from a web-shop:
Open website
Put stuff in basket
Register a new account
Pay
Receive the order confirmation
Receive the shipping confirmation
Get the actual stuff
In the world of software development I would also add that it uses the full-stack (e.g. from UserInterface till database and back) as it would be in a production environment.
Other reads:
UML E2E use-case example: http://www.modernanalyst.com/Resources/Articles/tabid/115/ID/2017/End-to-End-UML-Use-Case-Diagram.aspx
In my practice 'e2e' means 'End to end test scenarios' and defines business-relates scenarios.
Not checking button is checked only or control contains expected value, but describes real business processes, the value user gets moving through this process.
So this processes should be automated or checked with higher priority than others.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have some software which we added an open common file format (.iwb) to. The government organisation that initiated that work has been cut in the cutbacks.
Now a not for profit organisation has taken up the mantle, however its going to cost and once you pay you are not allowed to reveal the "materials" you gain.
http://www.imsglobal.org/iwbcff/jointheIWBCFFIalliance.cfm
I understand people need to be paid but the whole not sharing thing makes it feel like its going against what a standard is meant for.
What's a good strategy:
Pay up and shut up (there might be plenty of closed standards
that work in this way)
Fork the standard to an organisation that will not require people to pay to read it
Drop the file format
Stay behind the curve and reverse engineer the files
Any standard that is not freely accessible is no standard at all but is instead a proprietary format. I'd say either:
petition them to open the standard up
Drop your support for it (and tell your customers why you have to)
Fork an earlier open version and create a free version of the standard
Paying for access to a standard sounds like a horrible idea because:
It encourages this behavior
It's likely to just be wasted money because others won't want to pay either, and a standard used by no one is not a standard.
Publish the last version you had access to.
Site that you support that version of the standard.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Suppose an actor A has the site of an actor B in iFrames. There is no difference in the sites except the url. Urls are totally different. Should the actor A ask a permission of the actor B for using B's site? Is there any law that forbid placing other site on a site in iFrames?
Not a programming question, but at least let me help you with a link to a site. The owner of plagiarismtoday.com have had some of your concerns and, although not a lawyer, have collected quite a bit of information.
http://www.plagiarismtoday.com/2009/04/07/is-the-diggbar-content-theft/
Read The Law on Framing and follow the link to the case of Washington Post v. TotalNews
You should also check your country and local state laws, there is no such thing as a standard legal solution because it changes from one place to the other and many countries do not have laws on what you are asking. However, let me tell you, the web seems to be dominated by two frame of mind, or law philosophy:
lex mercatoria: these folks tend to think the web is commerce and commerce laws should apply, which are mostly derived by mores and civil laws
lex retis: these folks say the web is anarchy, no law should govern it
PS: I am a lawyer. Even if this is a bit complicated, I hope you can get an idea.
As far as I can tell, it only becomes a legal problem if the iframe is used to perpetrate fraud, deceptive marketing, or somesuch. Short of that, it's merely annoying. You can always use framebusters/framekillers if it bothers you enough.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
How many people actually write an SDD document before writing a single line of code?
How do you handle large CSCI's?
What standard do you use for SDD content?
What tailoring have you done?
I certainly have. Historically and on recent projects.
Years ago I worked in organisations where templates were everything.
Then I worked other places where the templates were looser or non-existent or didn't fit the projects I was working on.
Now the content of the software design is pretty much governed by what I need to describe to get the idea across to the audience.
"before writing a single line of code" there wouldn't be a a lot of detail. The documents I produce before I start coding are meant to get the idea of what we need to build across to the affected teams and senior management so they introduce high level architecture, functionality, technologies, risks and scope. Those last two are really important. The rest is to show other teams where you need to interface with them and to leave managers with a lingering notion that cool stuff is happening.
Most big software companies have their own practices. For example Motorola has detailed documentation for every aspect of software development process. There are standard templates for each type of documents. Having strict standards allows effectively maintain huge number of documents and integrate it with different tools. Each document obtains tracking number from special document-tracking system. They even have system (last time I seen it was in stage of early development) for automatically requirements tracking - you can say which line of code relate to given requirement\design guideline.
I would suppose that most people who write SDD documents and use terminology like CSCI have to be using a specific software development methodology and most likely are working for some serious government customer. They usually tend to take their preparations quite seriously and the documents are ready and approved before any development starts.
In an Agile process the development and the design document could be developed in parallel. It means that there will be plenty of refactoring to be done but it usually delivers very good results in the end.
In more formal processes (like RUP) a SAD document is mostly created during the elaboration/prototyping phase based on the team research.