Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I'm having trouble understanding what is conformance.
Can you please explain to me what does conformance (and full conformance) mean and which idea does it represent? If you could give me an example (code/how it's expressed in a PL) of it too I would be very grateful.
Ok, I'll give it a shot:
Technologies which are designed to interact with others are subject to specifications. Take, for example, the HTTP protocol – there's a lengthy document explaining how the communication between two entities has to work if they intend to “speak” HTTP.
If a software is able to interact with another software according to its specification, it conforms to the specification. The great thing is, you don't need to know anything about the internals of the other software, just implement the specs, and you're fine.
Sometimes a software is not 100% conformant to the given specification, e.g. when it implements only parts of the specification or intentionally violates the specification.
For example, you could write a relatively simple “HTTP server” with a single line of shell code, but this would be far from a full implementation of the HTTP protocol.
Long story short: Full conformance simply means that your implementation fully respects every (mandatory) aspect of a given specification. Not more, not less.
Now, you've tagged your question standards-compliance – so, what's the difference between compliance and conformance? Generally, both terms can be used widely synonymically. However, conformance refers to any specification, whereas compliance usually refers to a standard.
Not every specification is a standard. For example, I can specify an API for a piece of software or a web service. For example, the Facebook web service APIs are a specification, but not a standard.
A standard is a very formal specification of a generic technology, it is being published by some sort of (usually independent) body and is authoritative for the ecosystem it applies to. For example, The HTTP protocol is a standard which has been published by the IETF and is authoritive to all companies, organisations and individuals who develop web servers and web clients such as browsers.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 days ago.
Improve this question
What is the best way to check a website's WCAG 2.1 accessibility standard? I want to generate a report if a website's accessibility is of a AA WCAG 2.1 standard.
Producing such report is called an accessibility audit.
For the way to check, the Website Accessibility Conformance Evaluation Methodology (WCAG-EM) 1.0 is the relevant standard, which is part of the WCAG 2.
It describes how to proceed in an audit:
Define the Evaluation Scope
Explore the Target Website
Select a Representative Sample
Audit the Selected Sample
Report the Evaluation Findings
Further, there is guidance on involving users and using evaluation tools, both of which are optional for conformance with the EM.
For most people, it’s impossible to evaluate all success criteria without using a tool.
There a plenty of spreadsheet solutions out there that help with the evaluation, some governments providing spreadsheets based on their national adoption of the WCAG.
The Web Accessibility Initiative created their own, simple WCAG-EM Report Tool, and then there are several commercial solutions.
In my opinion, the following criteria matter:
Combine automatic and manual testing
Only a smaller part of a site’s performance can be checked automatically, so you’d need a tool that guides you through the manual parts as well.
Ideally, the automatic parts would already be covered and taken into account.
Avoid re-evaluation of common components
Modern sites, especially web applications, are constructed component-based, with components re-appearing on each page. These are based on the exact same code and will behave the same across pages. Like header, navigation and footer.
A page-based evaluation is therefore not very practical.
An ideal tool™ would take into account that these exist and re-use the component’s evaluation for each page that includes the component.
Tools that provide these features
The market leader on accessibility tools is deque with their axe suite. They offer the axe Auditor, which starts evaluation of each page with an automatic audit, and then guides the auditor through the remaining manual checks, providing a combined report at the end.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 1 year ago.
Improve this question
I have to write the "assumptions" part of a pentest report and I am having trouble understanding what I should write. I checked multiple pentest reports (from https://github.com/juliocesarfort/public-pentesting-reports) but none of them had this paragraph. Also I found this explanation "In case there are some assumptions that the pen-tester considers before or during the test, the assumptions need to be clearly shown in the report. Providing the assumption will help the report audiences to understand why penetration testing followed a specific direction.", but still what I do have in mind it is more suited for "attack narative".
Can you provide me a small example (for one action, situation) so I can see exactly how it should be written?
I would think the "assumptions" paragraph and the "Attack narrative" paragraph are somehow overlapping. I would use the "Assumptions" paragraph to state a couple of high level decisions made before starting the attack, with whatever little information the pentester would have on the attack. I would expand on the tools and techniques used in the "Attack narrative" paragraph
For example an assumption could be:
"The pentester is carrying on the exercise against the infrastructure of a soho company with less than 5 people It is common for soho companies to use consumer networking equipment that is usually unsecure, and left configured as defualt. For this reason the attacker focused on scanning for http and ssh using a database of vendors default username and passwords"
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
How are versions numbered? What is the proper idea behind going to next version, increments, etc?
For example, I often see v0.1, v0.2, v0.34567 etc. I assume these are softwares that are in beta, and haven't finished the first release yet.
But there are also many softwares that are v0.10.11, etc. how do they work?
There is not a specific standard - anybody can follow any scheme (or lack of scheme). It's up to corporate policy, development standards, or whatever guidelines you are under.
There are some popular standards out there. We try to follow the Semantic Versioning standard. The basic tenants include (quoted):
Given a version number MAJOR.MINOR.PATCH, increment the:
MAJOR version when you make incompatible API changes
MINOR version when you add functionality in a backwards-compatible manner
PATCH version when you make backwards-compatible bug fixes.
Links:
Semantic Versioning: http://semver.org/
Other versioning schemes: http://en.wikipedia.org/wiki/Software_versioning#Schemes
There are competing standards, which saddens me greatly, especially in a world where git is popular.
SymVer, as mentioned, helps a great deal, but a lot of popular software doesn't use it.
Unfortunately, this doesn't help a great deal when dealing with distros, who apply patches to specific versions of software, effectively changing it's version.
The closest to "proper" I have seen yet is done by NixOS. Each version of their software is hashed, as are all patches applied, and each end result has a different hash, line any change in Git.
The resulting output will be different as well, uniquely identifying it against others.
Until that method is adopted, it's a free-for-all, and versioning is not a consistent thing.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
The IEEE has a long list of standards for almost every step within the software engineering process. How many of you have seen a reference to such standards in the documentation you read?
I think the idea of combining the suggestions from many veterans is a good thing, but I have the feeling that not many projects ever quote not even one single of those documents. Maybe only the huge ones?
Since the standards are paid, I do not expect to ever see them quoted from open source applications. My question is directed to those of you working with proprietary source code.
What exactly are you expecting? The average open source developer might not have access to IEEE standards, but the standards permeate through the entire computer industry. For example IEEE 754 specifics the standard for floating point computation that is used by most modern systems, including every one of the numerous open source JavaScript implementations.
The reason the usage of such standards isn't very visible has nothing to do with open or closed source, it is a function of how low level most IEEE standards are. Most programmers work and much higher levels than IEEE standard, many of which, are only of interest to hardware and driver developers. I expect the number of developers deterred from starting open source projects, because of lack of access to the standards to be quite small.
Never. The larger the project, the larger the cost. The larger the cost, the more importance in getting it done and selling it. Standards are just a set of ideals--they don't sell software for you.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
How many people actually write an SDD document before writing a single line of code?
How do you handle large CSCI's?
What standard do you use for SDD content?
What tailoring have you done?
I certainly have. Historically and on recent projects.
Years ago I worked in organisations where templates were everything.
Then I worked other places where the templates were looser or non-existent or didn't fit the projects I was working on.
Now the content of the software design is pretty much governed by what I need to describe to get the idea across to the audience.
"before writing a single line of code" there wouldn't be a a lot of detail. The documents I produce before I start coding are meant to get the idea of what we need to build across to the affected teams and senior management so they introduce high level architecture, functionality, technologies, risks and scope. Those last two are really important. The rest is to show other teams where you need to interface with them and to leave managers with a lingering notion that cool stuff is happening.
Most big software companies have their own practices. For example Motorola has detailed documentation for every aspect of software development process. There are standard templates for each type of documents. Having strict standards allows effectively maintain huge number of documents and integrate it with different tools. Each document obtains tracking number from special document-tracking system. They even have system (last time I seen it was in stage of early development) for automatically requirements tracking - you can say which line of code relate to given requirement\design guideline.
I would suppose that most people who write SDD documents and use terminology like CSCI have to be using a specific software development methodology and most likely are working for some serious government customer. They usually tend to take their preparations quite seriously and the documents are ready and approved before any development starts.
In an Agile process the development and the design document could be developed in parallel. It means that there will be plenty of refactoring to be done but it usually delivers very good results in the end.
In more formal processes (like RUP) a SAD document is mostly created during the elaboration/prototyping phase based on the team research.