Can ISO 29119 Software Testing "Standard" Really Be a Standard?

New submitter yorgo writes The International Organization for Standardization (ISO) will soon publish part 4 of a 5 part series of software testing standards. According to the website, "ISO/IEC/IEEE 29119 Software Testing is an internationally agreed set of standards for software testing that can be used within any software development life cycle or organisation." However, many in the testing community are against it. Some wonder how the ISO/IEC/IEEE achieved consensus without their input. James Bach speculates that exclusion helped build consensus. Others, such as Iain McCowatt, argue that something as variable as software testing cannot be standardized, at all. And others believe that the motive behind the standards is not increased quality, but economic benefit, instead. Michael Bolton explains "rent-seeking" as he builds on James Christie's CAST 2014 presentation, "Standards – promoting quality or restricting competition?"

A comprehensive list of many other arguments, viewpoints, and information has been collected by Huib Schoots. Opponents of ISO 29119 have even started a petition aimed at suspending publication of the standard. Even so, this might be an losing battle. Gil Zilberfeld thinks that companies will take the path of least resistance and accept ISO 29119.

So, where do you stand? What constitutes a consensus? Can a standard be honored without consensus? Can an inherently sapient activity, such as testing, be standardized, at all? What is the real purpose of a standard? Will companies acquiesce and adopt the standard without question?

Who cares

[hinchles]

Considering ISO certification costs money and most companies refuse to spend money on stuff that isn't ISO 9001 then very few will probably get it. Most dedicated software houses I've encountered seem to prefer getting the TickIT certs instead of ISO certs for actual code certification but nobody bothers with the testing side of things.

Re:Who cares

[Jane+Q.+Public]

I also suspect that this "standard" would be unworkable with some established de facto industry standards that aren't likely to change.

Re:Who cares

[Bite+The+Pillow]

"Who cares" has to be the most useless argument on this page.

The businesses with the most money will obviously attempt to get certification for a bullet point. The people who make decisions based on bullet points care. The people at those companies who have to implement those bullet points care.

More importantly, the customers who have to spend more money care. If it is spread across enough customers that the financial impact is negligible, the customers don't care and the business doesn't care. It all works out okay and the answer is: those who care, care, and those who don't, don't. The answer is that the people who care will care. If you don't, it's out of ignorance.

Is ISO 9001 incompatible with this?

Standards

[Crizzam]

Are rules for some and suggestions for the rest of us. The IEEE can put a standard on cleaning the toilet. If your company wants to follow it to the letter, or just use it as another reference, that's your call. I think the organization of conceptually difficult concepts is a good thing, overall. What we do with that is a whole other thing.

Re:Standards

[UnderCoverPenguin]

At least where I work, most likely is that it will be more paper work to get done - never mind that we already have too much paper work to do. Like us in development, the testing people will make whatever they can conform to this new standard, then file waivers for the rest.

Re:Standards

[JeffAtl]

It's not quite that simple - customers can require the certification. If a customer is sizable enough, the suppliers will have comply to stay in business.

For real world examples, look at the power that the state of Texas has wielded in text book requirements and the state of California with warning labels.

Re:Standards

[michaelbolton]

Organization of conceptually difficult things is fine. A lot of us do this. A group of uninformed and (in my view) insufficiently critical self-appointed process enthusiasts mandating a particular organization for conceptually difficult things is more problematic.

Re:Standards

[michaelbolton]

I feel your pain. I hope you'll join us in a very small way, by signing the petition. http://www.ipetitions.com/peti...

Re:Standards

[w_dragon]

It's worse than that. Large companies will lobby government to make sure that not only government contractors must be certified on the standard, so must anyone who sells to certain regulated industries. Want to sell to airlines or food processors, even if it's non-critical software? Hope you're certified.

Re:Standards

[yorgo]

Companies can't do anything. But, people that run companies can. And people that run companies might be leading, thinking, reasonable people. But, very often, they're following, reacting, unreasonable people. People that will blindly follow "standards" simply because they're called "standards". And other people that report to those people must implement and live by those "standards". Even if the "standards" hinder, instead of help.

Re:Standards

[Crizzam]

I think this enters the arena of Enterprise Architecture. It's a point well observed.

Re:Standards

[arglebargle_xiv]

Are rules for some and suggestions for the rest of us. The IEEE can put a standard on cleaning the toilet.

At least where I work, most likely is that it will be more paper work to get done

Well it is normal practice to not consider cleaning the toilet until the occupant has finished their paperwork.

Can see it now:

[some+old+guy]

MBA CEO: I want our new product to be QA'd according to ISO 29119 before shipping.

Project Manager: Good idea, but that will add some time and overhead cost to my budget.

MBA CEO: Never mind, just ship it.

Re:Can see it now:

[UnderCoverPenguin]

MBA CEO: Never mind, just ship it.

More likely response: "Figure out how to get it done within the existing budget and schedule."

Re:Can see it now:

[tomhath]

Even more likely response: "Have the secretary fill out the paperwork and change our website to say we're ISO 29119 compliant".

Re:Can see it now:

[mariox19]

And if anything goes wrong, we'll crucify the QA people that we never gave enough testing time to in the first place.

Re:Can see it now:

[lgw]

You still have QA people? What luxury!

Re:Can see it now:

[awebb]

Amen to that! No one gives a shit about QA or the 100 issues they find during testing. It's the 1 issue that slips out that causes a riot.

Re:Can see it now:

[Bite+The+Pillow]

More than more likely response: Figure out how to get us compliant so our sales guys can use that ASAP.

Also, don't delay our shipment because those schmucks paid for non-compliant widgets. Delays for no revenue or no value add in the next rounds of sales hurt my bottom line.

It's like you ascribe the next-to-worst attributes to a CEO but don't go all the way and see it realistically the way a CEO would.

Re:Can see it now:

[Veretax]

VP of Engineeing:... that's great, but QA is not a verb, and in fact, that isn't what testing is either. MBA CEO: But what do we call our department responsible for testing. Project Manager: The Quality Assurance Team. VP of Engineering: I didn't choose the name that was there when you hired me.

Which Michael Bolton?

[Type44Q]

Michael Bolton explains "rent-seeking"

The no-talent ass clown known for his God-awful "music" or the one who hates him??

Re:Which Michael Bolton?

[CaptainDork]

You jumped my stuff.

Re:Which Michael Bolton?

[michaelbolton]

Ah. Another primitive attempt at what some of your fellow Earthlings call "humour". Keep practicing! ---Michael Bolton

Re:Which Michael Bolton?

[gstoddart]

But but ... how are we supposed to live without you, now that we've been loving you so long?

Dude, seriously, it must be suck to evoke such a reviled musician every time someone hears your name.

Re:Which Michael Bolton?

[michaelbolton]

Only when people bring it up. So, if you want to help...

Re:Which Michael Bolton?

[ESD]

As this particular thread is off-topic anyway: Thanks for your blog, Mr. Bolton! It's always an interesting read and I try to point new testers to it at least once to get some exposure to a usually unknown view on testing.

Re:Which Michael Bolton?

[gstoddart]

LOL ... well, tell me how you feel, time is on my side, it's just a feeling, but I almost believed you.

This is the internet, everybody's crazy, don't like it, walk away.

From now on you'll know that forever isn't long enough until you hear another Michael Bolton joke.

Just remember to love somebody. The one thing to remember, this is the time you're asking yourself Why me?

So, before you turn a whiter shade of pale, I wanna hear you say it ... If I could go the distance, That's life!

All the best".

There's two lessons to be learned here (one for you, and one for me) ... first, never ask for mercy on the interwebs, not likely to happen. Second, your namesake had way too many damned albums for that to not be a painful process for both of us. ;-)

Cheers (and, yes, feel free to say it ... it was rather childish and annoying. ;-)

Re:Which Michael Bolton?

[michaelbolton]

Thank you, but you've already helped more than enough. :)

Re:Which Michael Bolton?

[yorgo]

Mod parent up.

http://www.developsense.com/bl... is a treasure-trove of testing (and other) information. Simply reading his (and similar) blogs is an quick, easy, and effective (and free!) way to learn about testing. Also, be sure to check out the blog of James Bach for the same reasons: http://www.satisfice.com/blog/.

Wrong focus?

[QuietLagoon]

... According to the website, "ISO/IEC/IEEE 29119 Software Testing is an internationally agreed set of standards for software testing that can be used within any software development life cycle or organisation."...

If I were to jump upon a standard for testing software, the fact that it is "internationally agreed" is way down on the requirements, yet it seems to be mentioned as the main feature here.

Re:Wrong focus?

[rhazz]

Yep, and it only takes two countries agreeing for it to be "internationally agreed"!

Re:Wrong focus?

[TechyImmigrant]

This shit matters if you are selling things internationally. It makes it difficulty for country A to refuse imports of county B's software because it wasn't tested to their local testing standard. If it was tested to an ISO standard it'll do and the WTO will be on their ass if they try to claim otherwise.

That doesn't mean the specs are any good. They aren't. But there is a very real interaction with international trade regulations.

Re:Wrong focus?

[sinij]

You are incorrect. ISO standards are recognized by multiple countries. You can Google the full list.
 
The main advantage of any kind ISO is that it enables your software to get on government procurement lists. This doesn't impact small shops, they don't generally have resources or organizational maturity to sell to governments. There are multiple international, proprietary, and country-specific standards (e.g. ISO, FIPS, Common Criteria, PCI-DSS). International means you only have to go through certification once, not once per country that you were doing before the standard was adopted.

Re:Wrong focus?

[michaelbolton]

That is both an advantage AND a disadvantage, since it affords the potential for rent-seeking (http://www.developsense.com/blog/2014/08/rising-against-the-rent-seekers/ ). Rent-seeking may lead to wasteful documentation, compliance vs. competence, and other forms of goal displacement. See also http://www.developsense.com/pr....

Re:Wrong focus?

[sinij]

Compliance establishes baseline level of competence. As a system integrator, I have seen numerous examples that fall under gross negligence category. As a result, I strongly believe that even ineffective standards testing with associated increased overhead is better than a status quo.

Re:Wrong focus?

[michaelbolton]

Lots of competent testers point out that compliance with ISO 29119 does not in the least establish a baseline level of competence. Your argument "even ineffective standards testing with associated increased overhead his better than a status quo" is basically equivalent to saying "friendly fire is better than not shooting" or "ineffective medicine with severe side effects is better than no medicine at all".

Re:Wrong focus?

[thegarbz]

If I were to jump upon a standard for testing software, the fact that it is "internationally agreed" is way down on the requirements, yet it seems to be mentioned as the main feature here.

I think it may be incidental as a result of the standard being published by ISO/IEC/IEEE. I have seen very few marketing talking about the the international standards. The only time internationalisation is mentioned at all is when the local standards disagree with what the rest of the world is doing and cause grief with the procurement / installation of equipment.

There is only really three questions that should be applied to any standards:

1. Do we have a legal obligation to follow it.
2. Did our clients request we follow it and compensate accordingly?
3. Does it look like a good idea to follow it and if so does it make financial sense for us to do so?

Those are the only three things that ever matter for a standard.

Re:Wrong focus?

[iain.mccowatt]

Competence in what? Establishing document bureaucracies? Proceeding through steps 1 to 10 of a process so generic as to be meaningless? Checking boxes to satisfy the auditor? These are things that 29119 deals in, with scant testing to be seen. Perhaps you are right, perhaps compliance does establish competence, but in this case, in all the wrong things.

Re:Wrong focus?

[yorgo]

Sadly, not everyone thinks like you.

By using words like "internationally agreed" (instead of "locally agreed" or "internationally begrudgingly accepted") and "standard" (implying "the way", and not "a way"), ISO/IEC/IEEE strikes fear into the following, unthinking leaders of companies, who then force the workers to...begrudgingly implement and comply with the "internationally agreed standards".

Anyway, I don't believe that something like testing can be standardized anyway. There simply is no "one size fits all" way to test. "Internationally agreed", or not.

Shades of 2167

[Snotnose]

In the late 80s and early 90s I was involved in 2 projects run under MIL SPEC 2167, which was supposed to ensure product quality. Both were epic disasters. IMHO, 2167 pretty much guaranteed mediocre at best software, taking 3x longer to do, at a cost at least 6x of non-2167

This sounds like the 21st century version of 2167.

Re:Shades of 2167

[gstoddart]

Both were epic disasters. IMHO, 2167 pretty much guaranteed mediocre at best software, taking 3x longer to do, at a cost at least 6x of non-2167

But, I've always assumed that the function of government specs was to achieve precisely that.

I mean, a quality standard defined by a government committee can't actually be expected to have been designed to product actual quality outputs, can it?

I've just assumed they were there to give the bureaucrats something to tick off on their checklist, even if it has nothing to do with the real world.

Re:Shades of 2167

[luis_a_espinal]

In the late 80s and early 90s I was involved in 2 projects run under MIL SPEC 2167, which was supposed to ensure product quality. Both were epic disasters. IMHO, 2167 pretty much guaranteed mediocre at best software, taking 3x longer to do, at a cost at least 6x of non-2167 This sounds like the 21st century version of 2167.

MIL SPEC 2167, iirc, deals with documentation and deliverables. The actual software development process was "guidelined" by some other MIL SPEC. With that said, those were supposed to act as guidelines for a waterfall methodology (which surprisingly, it can actually be used in some contexts, or subverted into a spiral/iterative process.)

I worked at a defense contractor not long ago, and alas, the software projects were horribly run. But I always saw that it was the execution, not the specs per say that was the culprit for each and every single snafu/fubar hybrid I encountered. That and management, and life-long-career jockeys from the punch-card era dictating how to write software, and department infighting.

It's just like CMM/CMMI - A CMMI level X or Y only indicates that, to some degree, an organization a) has a formal process, and b) follows such process.

It doesn't indicate that the process is good - it doesn't even guarantee that *it is not shit*.

What it does, is that it helps an organization guarantee that its constituent parts know what activities to do under what circumstances and tasks in a business lifecycle. And that helps an organization improve things (assuming said organization has the necessary technical wherewithal and culture.)

In private business and with defense contractors, it is the companies who fail to execute (let's think of how many companies ditch source control to become *agile*!) particular practices. Defense contractors have a lot of leeway in negotiating and tailoring the actual execution of a process. Typically, they do not do it because they suck (and for a lot of other political and financial motivation$.)

Re:Shades of 2167

[michaelbolton]

"What it does, is that it helps an organization guarantee that its constituent parts know what activities to do under what circumstances and tasks in a business lifecycle." That claim is unsupportable, since it ignores the role of tacit knowledge; it ignores all the things that the process manual doesn't say; and it ignores all the ways in which the process manual overstructures the work. As James C. Scott points out in /Seeing Like a State/, this is exactly the reason why work-to-rule campaigns can be as effective (that is, more disruptive) than a strike.

Re:Shades of 2167

[CrimsonAvenger]

not the specs per say

Per se.

Do try not to write things you've only heard spoken.

Re:Shades of 2167

[luis_a_espinal]

not the specs per say

Per se.

As a person whose first language is not English, I thank you for your gratuitous lecture.

Do try not to write things you've only heard spoken.

Oh uhmmm, m'kay?

Re:Shades of 2167

[luis_a_espinal]

"What it does, is that it helps an organization guarantee that its constituent parts know what activities to do under what circumstances and tasks in a business lifecycle." That claim is unsupportable, since it ignores the role of tacit knowledge; it ignores all the things that the process manual doesn't say; and it ignores all the ways in which the process manual overstructures the work.

That is why I said this (re-quoting myself in bold/underline below):

"What it does, is that it helps

I guess the following I'm going to say was supposed to be implicit, I will have to be explicit. Only in slashdot.

Of course it ignores tacit knowledge and all the things that the process manual doesn't say. It has to, because attempting to do is impossible in the general case. A process is not supposed to be all encompassing and inclusive. It is supposed to operate at a meta level, to provide structure around activities. It is supposed to be more strategic than tactical. Very few things in a process would cut down to the bare metal of day-to-day operations.

When a process, formal or informal becomes more tactical than strategic, that is when it falls into the realm of micromanaging. Once you have micromanaging in place, then you cannot use such a process to improve things because of all the other dysfunctional social/political forces that cause the process to become micromanaging in the first place.

Again, a capability model is not concerned if your process is geared towards continuous improvement or micromanaging. It is only concerned with the degree in which a) you have one, and b) that you follow it.

If you have a process that is functional, and your organization is functional, and that it follows said process, IT WILL HELP said organization with its improvements.

I should not have to spell that out. It should be self-evident. It should also be self-evident that if any of these pre-conditions are met, then all bets are off (and that such a situation is not a capability model's concern.)

As James C. Scott points out in /Seeing Like a State/, this is exactly the reason why work-to-rule campaigns can be as effective (that is, more disruptive) than a strike.

Yes, you are describing a dysfunctional situation, a combination of a dysfunctional organization, system or set of players and a a dysfunctional process open to abuse. None of that is a capability model's concern, nor are inevitable consequences of having a process.

Automated test in is a minimum

[LostMyBeaver]

First of all. I HATE WRITING UNIT TESTS!!! Know what I hate more? When I get bit in the ass because something that did work before stopped.

Unit testing is step one in any decent software development and I will never enter into or manage another project without unit tests being a critical component of the project. I'll just hire a QA guy to unit test all my code... I don't want to do it haha.

Second, there is absolutely nothing which can't be automatically tested too. When you write code, GUI, Web, Command Line, message based, etc... An automated script to test the code is critical. There are tools for it.

Everything should be tested automatically... That even includes memory leaks when exiting. I would never hire someone even for a C#, Java, Python or even PHP position who doesn't write code which cleans up properly after itself (even if that means correct use of the garbage collector).

I have worked on several multi-million line commercial applications, some with 500 million+ users. I have never seen a piece of code which could not be properly tested using the right tools. That can even include small embedded systems where we would have to actually implement a QEMU module or three.

So... Quit your bitching and write a test suite.

Re:Automated test in is a minimum

[omglolbah]

You would love the control system software we use at work... (world leading platform for the industry).

No revision control. You have 'current' revision. That is it.

Integrated code editor that has no syntax highlighting.

Patches to the system will break components that are not considered 'core'. Which forces updates of ALL components in the system. This has lead to bugs persisting at sites for years with no patch because nobody wants to fix bugs when it costs tens of millions of dollars to do so.

No automatic testing. Of anything. When we update a component everything has to be tested manually. Someone will sit for 2 weeks and check every state of GUI symbols for the whole HMI. Oh joy...

If you change ANYTHING in code, you can no longer connect to controllers to view live data. You need to do a download to the control with the code changes before live data can be observed. This means that as soon as you make changes, you lose the ability to view the old code running. There is no way to have both a 'online capable' version of the code and a changed codebase in the same control system. We operate two separate virtual environments and switch VLANs or just move a cat6 when testing...

This is for oil rig control systems. There is no automated testing of any kind, even for critical emergency shutdown systems. Every test is done manually.
The ESD systems are usually a complex matrix of casues and effects with hundreds of inputs, hundreds of outputs... This is all tested manually as the software does not support any reasonable simulation of the controller input/output systems.

Enjoy that little gem.

Re:Automated test in is a minimum

[UnderCoverPenguin]

I'll just hire a QA guy to unit test all my code...

Actually, that's how the testing should be done. Give the requirements to both teams - testers and developers. Developers design/write the product code. Testers design/write the tests. Then let the testing begin. Problems entered into issue tracking. Both teams fix their respective problems. Retest. Repeat as needed.

Unfortunately, many companies fail to adequately fund testing so devs end up writing tests, which, in turn, catch fewer problems

Re:Automated test in is a minimum

[angel'o'sphere]

In a static typed language unit tests are pretty pointless. You only have them because your developers are using cut/paste to much and accidentally hit return when a line was selected (and delete it by that).
You are far better off if you write user acceptance tests on use case or story level.

I have worked on several multi-million line commercial applications, some with 500 million+ users. I have never seen a piece of code which could not be properly tested using the right tools. That can even include small embedded systems where we would have to actually implement a QEMU module or three I would not count web site visitors as "users", but well ... technically they are.

I can write you in 40 lines a function which you wont be able to automatically test. It only needs some nested loops and an 'if' cascades with loops inside.
Sure: you can refactor that into a lot of small functions, containing only a single loop or a single 'if'.

You lost quite some credibility with using terms or sentences like That even includes memory leaks when exiting. and "... even if that means correct use of the garbage collector ..."
Unfortunately a exiting program can not leak memory, and similar unfortunate, you don't use a garbage collector, it runs in the background. You can parametrize it perhaps ... but thats it. (and please don't tell me you are doing System.gc() in Java programs at "random" intervals)

Re:Automated test in is a minimum

[DeBaas]

First off, I would love it if people took unit testing more seriously and automated it! In my view that helps greatly for getting robust software. However, not for all tests automating is the answer. Especially when you get to acceptance testing (where we validate, rather than verify) or when you do integration testing for systems that communicate with other systems it is not a silver bullet. Aside from feasibility, as automating is time consuming, there are more drawbacks. Automating all tests means assuming that you can anticipate everything that can be wrong and even anticipate every test that should be done just based on the specs. Exactly the context driven testers (such as James Bach and Michael Bolton) believe you can't, we humans are not 'wired' that way. In fact they even are of the opinion (as am I) that the best testing is done by people that design tests to a great deal as you go while testing as long as these are skilled people that understand how the software should work.

Rigorously testing software via automated tests, please do. But in my view there should always still be people that test and see for themselves. The automated tests can and will miss things that are plain obvious to human testers.
   

Re:Automated test in is a minimum

I agree almost 100%, let's say 95%. Automated testing is fantastic. It's not everything though. You can't automatically test for "does it annoy and/or confuse the operator". For that, you need a human to test it. Also I think there are going to be aspects of the test that could be automated and you just didn't think of them. Acceptable performance falls under this category somewhat. An automated test won't tell you that something takes too long to render unless you know what "too long" is for a human. A human has to sit in front of the integrated app and test it at some point.

Like I said though, 95% agreement.

The only automated tests I don't like are the "test suites" that are nothing more than glorified asserts. They're a wast of code. Somebody tried to get me to use one of those one time. I was already doing all my developer unit tests with text files and diff. You print the outputs of functions under test to output.txt. You diff it against expected.txt. If diff outputs anything, it's failure. This is so much more powerful than an assert, and it doesn't require polluting the code under test with anything, or linking a special lib:

Re:Automated test in is a minimum

[michaelbolton]

You are confusing testing (evaluating the product by learning about it through experimentation) with what we call checking (evaluating functions in the product by algorithmic observations and decision rules). http://www.satisfice.com/blog/.... Checking can find lots of functional problems in the product, and it's an important thing to do. But that's not the same as testing the product. Knuth made this distinction using different words years ago: "Beware of using this product. I have merely proven it correct; I haven't tested it."

Re:Automated test in is a minimum

[gnupun]

No. Unit testing is not a tester's responsibility. It is the responsibility of the coder to validate the code they wrote does the basic function it supposed to do.

Unit testing is white box testing and it's okay to get a tester to develop the tests as long as there's feedback from the developer about how the white box code is supposed to behave (internal behavior).

Should devs NOT test? Hell to the no they should definitely test.

Does the average dev have the skill set/ mind set of a tester? No. Even Microsoft often pairs a tester with a developer. Unit tests are likely to find as many or more bugs than black box testing and the typical developer will not be happy/motivated to find bugs in his own code.

So are you willing to deliver a buggy product just because you don't want to spend extra on test developers?

Re:Automated test in is a minimum

[swillden]

In a static typed language unit tests are pretty pointless.

Because static typing catches all bugs? That must be some statically-typed language that I've never seen. Unit tests are perhaps marginally less necessary than in dynamically-typed languages, but they're still necessary. Test-Driven Development is a life saver regardless of your toolset.

I can write you in 40 lines a function which you wont be able to automatically test. It only needs some nested loops and an 'if' cascades with loops inside.

There's nothing untestable about such a function. Basic code coverage tools will even identify any branches within the code that aren't taken, so you know to look for ways to write test cases that cover those branches. What's harder is ensuring coverage of all of the issues that could be provoked by different input data, even after you've covered all of the paths. With experience you learn to do that quite effectively, though.

Sure: you should refactor that into a lot of small functions, containing only a single loop or a single 'if'.

FTFY. Change it to "must" if I'm your code reviewer.

You lost quite some credibility with using terms or sentences like That even includes memory leaks when exiting. and "... even if that means correct use of the garbage collector ..." Unfortunately a exiting program can not leak memory

Sure it can. If there are any heap-allocated blocks remaining (not freed) at exit, the program has a memory leak. Again, there are good tools to help you find these leaks, like valgrind memcheck.

you don't use a garbage collector, it runs in the background. You can parametrize it perhaps ... but thats it. (and please don't tell me you are doing System.gc() in Java programs at "random" intervals)

And yet you can still have leaks in garbage-collected environments, and there are ways to test for them. It's a bit more complex than in non-GC'd environments, but it can -- and must! -- be tested if you want to have reliable software.

Re:Automated test in is a minimum

[Whatsisname]

That's not going to work, because you'll never be able to economically write a requirements document so complete that the behavior is so well defined that you can get meaningful test coverage from it.

To get that kind of completeness you'd have to code the entire software in MSWord, which is a terrible programming language, and without ever testing it along the way.

Testing needs to be a continuous process as part of software development, not something that happens parallel or afterwards.

Re:Automated test in is a minimum

[angel'o'sphere]

Rofl.
Acacademic half knowledge with complete wrongs: If there are any heap-allocated blocks remaining (not freed) at exit, the program has a memory leak
No it has not. Where should the memory go to after the program has exited?

Technically you can test a 40 lines mess of loops and if cascades, practicaly you can't ... or how likely is it that you can prove me in a reasonable time that a certain branch in an if - else inside of a cascade of nested loops and if's is executed with meaningfull data in your test? Especially if I have written the function and you want to write the test?

The rest I leave as it stands if you like to argue about how likely it is that a single compilation unit has a bug that is not dicovered by a functional user acceptance test ... unit tests without user acceptance tests or integration tests are pointless. The next thing is you tell me to test getters and setters ...

But you will figure that soon enough when you have 100% code coverage and still have bugs and wonder why

Btw, I never was in a team that had a memory leak in a GCed language. And I certainly don't waste resources on testing for that unless I have a strong indication that we have a leak.

As I said above: you are full with academic half knowledge and lack (despite your claims to the contrary) real live experience in large systems

Re:Automated test in is a minimum

[Just+Some+Guy]

I love testing. Honestly, if forced at gunpoint to give up testing or version control, I'd be hard pressed to pick. Testing means I can update an innocent-looking line of code without worrying whether it's going to break some arcane business logic that a customer depends on, and that I can gut and reimplement an API while having a reasonable expectation that consumers will keep working afterward. I'm a huge testing advocate.

But.

I have no desire whatsoever to conform to an ISO document about their idea of the right way to do things. Standards are great for ensuring interoperability, but how often do you care about that in a test suite (beyond the minimal "can I make its output look like JUnit so Jenkins can yell at someone when it breaks")?

I'll sit down next to you and help you crank out a comprehensive test suite, because while that's a tedious pain in the ass, it's far less of a pain in the ass than not having one. But I couldn't possibly care less whether the result of our labors is "ISO 29119 Certified (tm)!", probably by a $300 outside consultant, so that we can put an "ISO 29119 Certified (tm)!" logo on our website for PHB's to smile approvingly and longingly at and then forget about.

Re:Automated test in is a minimum

[DarkOx]

Sure it can. If there are any heap-allocated blocks remaining (not freed) at exit, the program has a memory leak. Again, there are good tools to help you find these leaks, like valgrind memcheck.

Really can you point to any contemporary operating system that would NOT free all the memory allocated to a process when it exists? I guess you might mean if your process asks other "servers" to do things like say just exists without closing database connections etc, the other process might not free resources associated with yours but that is not the same thing as a memory leak.

Re:Automated test in is a minimum

[Snotnose]

The automated tests can and will miss things that are plain obvious to human testers.

True dat. The solution is that for every bugfix submitted there is also an automated test to verify it stays fixed.

Automated test suites are not static. They should grow as the project matures and users/developers gain experience with it.

Re:Automated test in is a minimum

[Your.Master]

He's saying you can detect runtime memory leaks at exit time.

The memory won't be leaked anymore post-exit, and the leak doesn't matter at exit time, but that's when it is possible to deterministically detect memory leaks over the course of the software running.

Re:Automated test in is a minimum

[uncqual]

Does the average hobbyist dev have the skill set/ mind set of a tester? No.

FTFY.

If a developer doesn't have the mindset of a tester, perhaps they should find something else to do (maybe the local Walmart needs a greeter?) or be assigned support "on-call" more regularly so they can experience being waken at 3AM due to someone failing to design, implement, and test well. If someone doesn't have the mindset of a tester and their title is something like Senior Software Developer or higher, there is a serious title inflation problem in their workplace.

Design and implementation decisions, the classic "developer" roles, impact testing. Someone who doesn't grok and appreciate testing has no business playing a significant role in design. In my experience, one of the reasons that unit testing is sometimes quite hard (sometimes updating the unit tests takes much more effort than the corresponding modest change to the base code took) is that systems are rarely designed to be easily unit testable - commonly there's a "shadow" unit testing world of hacks layered on hacks relying on side effects of this subsystem or that subsystem that is cobbled together and labeled something like "the unit test environment".

When a developer commits code, they should be sure it works and take it personally (i.e., as a personal failing) and use it as a learning experience if the code fails either due to a design/coding error within the scope of the code (generally extending throughout the entire subsystem even if just one line in one module was changed) or misuse of some external service/API. Failures that arise from inter-subsystem interactions due to ambiguous specifications or not yet understood interactions are what testers should be finding (and the architects should usually be held accountable for those failures).

As well, you want developers to have a mindset of testing because they are then the most likely to develop and adapt tools that actually make testing a repeatable and low cost process.

Re:Automated test in is a minimum

[uncqual]

Asserts are fairly useless as a testing tool. Their excessive use can be extremely annoying as they clutter up the code and that clutter can increase the chances of introducing bugs.

However, responsible use of asserts can be quite useful in debugging - esp. when a customer is encountering a problem that is difficult to recreate (or, perhaps, nearly impossible from a practical standpoint because they won't give you access to their confidential data/environment). In those cases, running a "well asserted" debug version of the system on the customer site can sometimes help narrow the problem space substantially very quickly - not always of course, but the cost of running the test is often very small so it has a good ROI. Of course, if you're going to do this, you need to keep the asserts valid so systems test often needs to validate both the version WITH and the version WITHOUT the asserts enabled - else it's likely that the "well asserted" version has rotted and will result in a flurry of assert failures that actually don't represent a problem.

Of course if you're writing code that controls the United States nuclear weapon launch system, ignore the advice above.

Re:Automated test in is a minimum

[angel'o'sphere]

Nevertheless he is wrong, even if your interpretation of his words is right.
In C/C++ like languages no one is going to free/delete any memory at the point of exit(), you simply call exit() and are done with it.
but that's when it is possible to deterministically detect memory leaks over the course of the software running.
No it is not :) how should that work?

Same in garbage collected languages. It is close to impossible to free all memory in a garbage collected environment ... you programmed the whole application agnostic of memory allocation and then you want to travel all objects and set all references to null (and somehow trigger the GC) to have everything 'cleared'? (Sure, I can write a reflection based graph traversal that sets every reference it encounters to null. But what would be the point?)
How should any of that be related to memory leaks that happen during normal operation of the program?

Re:Automated test in is a minimum

[swillden]

Rofl. Acacademic half knowledge with complete wrongs

Dude. I've been a professional software developer for 25 years, and am a respected engineer at one of the biggest names in software. You use my software daily.

If there are any heap-allocated blocks remaining (not freed) at exit, the program has a memory leak No it has not. Where should the memory go to after the program has exited?

Well, obviously it'll all be returned to the system after exit. The point is to check AT EXIT. If there are any blocks still allocated, you've screwed up.

Technically you can test a 40 lines mess of loops and if cascades, practicaly you can't ... or how likely is it that you can prove me in a reasonable time that a certain branch in an if - else inside of a cascade of nested loops and if's is executed with meaningfull data in your test? Especially if I have written the function and you want to write the test?

I've done it many times. Just check to see which branches aren't being executed and work out what needs to be done to execute them.

Though it's much, much better to refactor the function first.

The rest I leave as it stands if you like to argue about how likely it is that a single compilation unit has a bug that is not dicovered by a functional user acceptance test ... unit tests without user acceptance tests or integration tests are pointless.

I've found thousands of bugs with unit tests that were not discovered by functional tests, integration tests, or user acceptance tests. In fact, unit tests are the most likely ones to find thing like subtle boundary condition errors which are hard to reproduce and are the source of nasty, rare bugs that are seen in production only once in a while.

The next thing is you tell me to test getters and setters ...

Typically those get exercised by integration tests... and it is a good idea to have coverage of them at some point in your automated suite, because the whole point of getters and setters is that they may someday become non-trivial. Writing tests for them at that point isn't as good as already having tests in place, because you want to verify that your new implementation doesn't have subtle differences in behavior.

But you will figure that soon enough when you have 100% code coverage and still have bugs and wonder why

No one is claiming that unit tests are sufficient, only that they're necessary.

Btw, I never was in a team that had a memory leak in a GCed language.

Then you haven't worked on many non-trivial systems.

Re:Automated test in is a minimum

[swillden]

Really can you point to any contemporary operating system that would NOT free all the memory allocated to a process when it exists?

Obviously not. If there were such an OS it would be broken.

The point is that if you're managing your memory well, by the time you exit every allocated block will have been freed by your code. Yes, this is a little more work than appears to be absolutely necessary, but when that function which allocated a block which you expect to be released at exit, and which you know is only going to be called once, ends up being called in a loop a few years later, the maintainer who makes that change will hate you. And note that said maintainer may well be you.

Re:Automated test in is a minimum

[uncqual]

Qualified senior developers I know do some amount of all three and all have done a substantial amount of all three during various points in their career.

If you're considering just a "coder" (working, presumably, from some detailed design spec), that's probably a different matter (I've never worked anywhere that a "coder" job role existed), but a "dev" (a.k.a. "developer") is a much broader role than "coder" (and pays much better - so, yes, I probably pay them three times what I would pay a "coder" if I could find an efficient use for the latter). Anyone on my staff who only has potential to be a "coder", is sent on their way as it's faster to write the damned code than to write a detailed design spec that a one dimensional "coder" can code from -- and the result is generally much better (unless, of course, the detailed design spec is so detailed that the coder has to make no decisions -- in which case, just write the spec in Java or C++ and compile it).

Re:Automated test in is a minimum

[Livius]

Unit testing legitimately comes under both job descriptions, though
1) the coder really understands the meaning of 'unit' in a particular context, and
2) the tester is the subject matter expert on testing.

The two need to have a dialogue. If they aren't talking, there are bigger problems.

Re:Automated test in is a minimum

[Your.Master]

No it is not :) how should that work?

The memory allocator can keep track of all the memory that is allocated (maybe you do this with a special build, maybe your default allocator does this).

Provided your heap isn't actually corrupt, (which tooling can also help detect with things like canary words and on special builds with extreme one-page-per-allocation policies, but is not totally detectable), your allocator can have a record of every allocation that does not have a corresponding free by the time of exit, no matter whether it's because of reference cycling or just a missing call to delete or what-have-you. It can even tag it with the allocation callstack and what-have-you.

It's also true that it won't detect obscene memory usage that isn't actually leaked, eg. suppose Firefox leaked on every tab close, but it managed to clean itself up after the whole window closed. That's not strictly a leak but it's just as bad in practice.

It's essentially like having a garbage collector that isn't there to collect garbage, but is there to identify garbage that has been left uncollected.

you programmed the whole application agnostic of memory allocation and then you want to travel all objects and set all references to null (and somehow trigger the GC) to have everything 'cleared'? (Sure, I can write a reflection based graph traversal that sets every reference it encounters to null. But what would be the point?)

No, I don't want it cleared, I want it detected so we can notify the owner of the leaking component that it was not cleared at the proper time.

We aren't detecting leaked memory in order to free it. We're detecting leaked memory in order to fix the bug where it leaked in the first place, possibly hours or days ago, and has been consuming your RAM for no good reason since that time.

Re:Automated test in is a minimum

[Your.Master]

No one is calling free/delete before exit() on all still living objects to show that he has no memory leak.

a) Yes, there are people who absolutely are doing that, particularly if they have nontrivial destructors (whether or not that's a good idea on a heap-allocated object is a different discussion).
b) You don't have to call free/delete/whatever before exit to show no memory leak. You just have to find that there's no *unexpected* allocations. A leak can reasonably be defined as memory that is unexpectedly still allocated at exit-time.

Just an excercise 'I know where all my pointers are'?

Yes. Because if you don't know where your pointers are, that means you leaked them, possibly days ago.

If you have a unit test that 'finds a bug' but the acceptant tests did not, your acceptence test was: wrong, or did at least not cover the relevant line :)

An acceptance test that is wrong or had insufficient coverage is a bug, IMO.

A bug a week really doesn't really shock me, even for a well-tested product, depending on the scale of the product of course.

Re:Automated test in is a minimum

[rhysweatherley]

The next thing is you tell me to test getters and setters ...

You damn well better test the getters and setters. In my experience they are usually the buggiest part of a class. To save time, sooner or later you will cut-and-paste the previous getter/setter pair and modify the name ... while forgetting to update the variable name behind the API, leaving it side-effecting something else. Now you have a landmine waiting to strike on the rare occasion you set that field. And woe betide you if the setter performs verification on the value, which you will probably get wrong (in fact, I just fixed a verification bug in a setter that was found by a unit test not 5 minutes ago).

Re:Automated test in is a minimum

[michaelbolton]

I know more about testing than most programmers, so I guess it depends on who you're talking about. ---Michael B. (brave enough to sign)

Re:Automated test in is a minimum

[Skulthur]

Of course you will have copy/pasted the test too so half the chance that your test won't even find the bug. Also the pain of maintaining all that.

Seriously who tests their getter/setter? They're already tested by your other (useful) tests that use them to do more complex stuff. Writing unit tests is a trade off between the chances to catch a bug vs the pain of writing and maintaining them and writing tests for all your getter/setter just don't give much ROI.

I'm currently pondering about what I would hate less; having to unit tests for all my getters/setters ... or having no unit tests at all. I'm still not sure.

Re:Automated test in is a minimum

[thegarbz]

Sounds like you have a poor choice of control system.

Our control system is the exact opposite:

Control graphics run locally on the workstations which means they can be tested away from the control room with live equipment and then push the completed graphics to other stations.
Loop simulation can be performed online for changes to control system parameters. Feed it a bit of historical data so it builds a model, then update the parameters and simulate, then push the result back out to the control processor.
Complete simulation systems available for both our ESD system and our control system. On the ESD system the checking process is still manual but that's exactly what the standards require, manual and comprehensive function check of every change, which is why we typically delay changes to the ESD system until maintenance periods so we can play without without causing unit upsets.

There's actually a lot of neat progress happening in control systems at the moment, it's a shame that in our industry the upgrade cycles are so slow. Especially in finite time installations like oil rigs. It's build once, and operate until the last drop is out. Process plants are a bit better but painfully slow. We are about to upgrade our last operator station from Solaris to XP, shame the vendor has already EOLed that product we are about to install.

Re:Automated test in is a minimum

[swillden]

I'm not interested in educating people who don't want to be educated. Just please tell me what software you write, so I can avoid it.

Re:Automated test in is a minimum

[angel'o'sphere]

It is much quicker to let the IDE generate the getters and setters.

I don't use cut/paste at all when coding. Autocompletion in Idea Intelliy or Eclipse is simply faster and less error prone.

Testing setters only make sense when you know that you have to test them, like when nulls are not allowed or the setter actually has side effects.

Most bugs regarding setters and getters are caught by compiler warnings, like passing a long in to a setter taking an int.

If your coworkers abuse copy/paste and make such errors, then ofc in your environment it makes sense to test setter/getters, but that is not a general rule.

Re:Automated test in is a minimum

[angel'o'sphere]

The point was more that I tried to educate you.

But with your academic position you are on the safe site, a little bit at least. However you waste resources. I assume you have still many bugs in your code which you can not 'find' with unit tests. You can only write a unit test later after you have fixed the bug to ensure it does not creep in again.
Your stance is illusioning yourself, bad that you obviously did not try to follow my arguments, otherwise you would agree. But perhaps you do so in 10 years :)

You likely will never really come to use my software, so no fear. It is usually only used in house or is for very special markets like law enforcement or energy trading or grid management. As I pointed out in other posts: the software I delivered the last 20 years usually is bug free ;) So if you happen to use it and mess up ... it is your lack of knowledge, hehe! Hm, or you could buy a car where I was involved in writing the test beds and test frameworks for pedestrian detection and/or lane following etc. then you have bad luck ofc. as in 10 years that will be "state of the art" and mandatory in most countries in new cars. So please avoid high end BMW, Audi and Mercedes cars. (I did not work on the software itself, only on the automated test environments, I don't really enjoy image processing etc,)

Re:Automated test in is a minimum

[Veretax]

Your mileage may vary. Sure you can write thousands of unit tests. That's maybe a good idea, if those tests bring enough value to continue to exist long term. However, the higher up the integration stack you go, to service layer, APIs, UI the further removed you are from isolation, and the slower, and more prone to flakiness automated integration tests become. Not only that, even if you somehow manage to NEVER have a flaky test, if a company like Google with all its billions of revenue, can reach a point (https://www.youtube.com/watch?v=nyOHJ4GR4iU - GTAC 2013 Keynote: Evolution from Quality Assurance to Test Engineering) can reach a point where they have so MANY tests that they cannot reasonably run all of them often enough due to resource requirements, then you may find yourself in a similar boat as well. Simply automating all the checking isn't going to cover everything. This doesn't even begin to address usability issue, certain types of security testing, or performance testing, (which may require some automation, but will likely require a smart individual to maintain and interpret the results)

Re:Automated test in is a minimum

[david_thornley]

I work on code that uses a MFC GUI and spits out gcode for CNC machine tools. While there's a lot in it that can be unit tested, and we have a lot of unit tests, I'd like to see a testing structure that would automatically test everything from user manipulation to gcode production. (Seriously, I'd like to see it. I've asked elsewhere to see if there's such a thing. If somebody could find such software, I'd heartily recommend it here.)

Re:Automated test in is a minimum

[david_thornley]

Which control system is used depends on a lot of things, and it may not be reasonable to pick one based on ease of development.

Re:Automated test in is a minimum

[thegarbz]

Very true, my point was more that it is a moving trend in the world of control. The vendors are actually hearing our calls for a more developer and more maintenance friendly system. Even our emergency shutdown system has gone from offline logic changes only, to limited online logic changes, to online firmware updates, to completely online full system upgrades.

The industry on the whole is changing. The problem is for old plants these changes will take MANY years to filter through.

This sounds... familiar....

[QilessQi]

By implementing these standards, you will be adopting the only internationally-recognised and agreed standards for software testing, which will provide your organisation with a high-quality approach to testing that can be communicated throughout the world.

....Be the first on your block to collect all five! GOTTA CATCH 'EM ALL!

SSL, anyone?

[fuzzyfuzzyfungus]

While the idea of having a well vetted testing system in place that would allow customers to choose software that had been so vetted seems like a good idea, I have to wonder if it's doomed to the fate of SSL, at least outside of a few niche applications that mostly demand high levels of verification anyway.

With SSL, we all wanted the security; but everyone wanted it to be cheap, and wanted to avoid a monopoly over certificate authorityship. So, what did we get? A mass of CAs, many painfully shoddy, who will issue you a fancy looking cert for peanuts. Then we got "EV" certs, which are supposed to actually do what the original certs were supposed to do, only more expensive.

just like ISO 9000, that worked well!

[thebeastofbaystreet]

I mean, seriously, what kind of idiot thinks that have a standard for this will make any difference at all? Quality costs money and time end of story.

Re:just like ISO 9000, that worked well!

[angel'o'sphere]

In RL quality saves money.
Unfortunately many small (and also big shops) have not realized this yet.

Re:just like ISO 9000, that worked well!

[itsdapead]

... but spending money and time does not guarantee quality.

Nor does a certificate that proves that you spent time and money on paperwork.

Re:just like ISO 9000, that worked well!

[sjames]

ISO9000 is a really sad joke. If you have a shitty process that produces poor quality, you can pass ISO9000 just fine. From that point on, it will make sure you never accidentally produce a mediocre or (god forbid) a good product.

Re:just like ISO 9000, that worked well!

[michaelbolton]

Not quite the end of the story, I'd say. Quality typically requires some modicum of skill and critical thinking.

Re:just like ISO 9000, that worked well!

[iain.mccowatt]

In RL plenty of organizations spend time and money on compliance in the hope that doing so will magically improve quality, and that those improvements will translate into business results. Evidence that this is the case is scant. The ISO 9000 series is probably the closest analogue here, in that it too is a compliance oriented standard focussed on process and documentation. The handful of longitudical studies that claim a relationship between compliance and business results have been widely challenged. Compliance != Quality.

Re:just like ISO 9000, that worked well!

[yorgo]

This. Mod parent up.

In (very) short, "testing is evaluating a product via experimentation" (see http://www.satisfice.com/blog/...). According to this definition, truly anyone can test. Anyone can "evaluate a product via experimentation".

However, formal, professional testing also has a purpose: to inform. That is, "testing provides information about the quality of a product so that others can make informed decisions."

So, formal, professional testing is "evaluating a product via experimentation - in order to inform". And /that/ requires "a modicum of skill and critical thinking".

Re:just like ISO 9000, that worked well!

[angel'o'sphere]

You are very right of course.
But that does not change my point: if you can run your business in a way that you produce quality without having enormous overhead, then you safe money bottom line.
If such a habit is established in your organization, also new projects get to marked speedy.

The problem with introducing processes and QA etc. is that the introduction is to complex, slow and expensive that it costs you dearly and not only money but time. That is why 'agile methods' are en vogue. They try to get people (developers etc.) to do stuff in a way they would do it if they had a formal process, without having the process on paper and requiring to much documentation.

Everything you would do on a CMMI level 3 or even 4 you do in Extreme Programming or Scrum also. But more informal. Everyone in our days has a version control system and writes 'tests' ... when CMM was incepted that was not the case (even in this story here are posts of people whining that they work in multi million line projects without version control)

So what is the problem?
Education: people know not enough and don't educate themselves, that is on all levels (developers, BAs, especially Managers)
Management: frankly, 90% of management in software projects is unnecessary, the involved Managers are superfluous.
Business Culture: if a Manager struggles to finish a $2M software project in time (and now it is out of budget anyway), but can convince his superiours to fund him more, and after quite a while he has successfully finished it with a $4.5M budget, what is happening? Usually no one will try to figure what went wrong, how to prevent it or how to anticipate it (and fund and staff the project better from the beginning). What is happening is this: the manager gets promoted. Why? You really ask that? Because he showed:
a) he can rescue a project that is sinking
b) he can negotiate and communicate to get more funding
c) he over succeeded as he did not in his young age successfully manage a $2M project, but a close to $5M project! His next job position will have budget authority of perhaps $4M to $6M! Retarded, isn't it?
More Business Culture: projects like the one above are often started by one division in the company and completed by another one. Or incepted by one and done by the other. Suddenly you have competition about resources/funding inside of your corporation. People actively try to sabotage other projects, so they get canceled or the manager in charge fired or both. Many projects started like this are actually not needed or have no business value.

In such corporate environments introducing processes only gives everyone more options to backstab each other. That is basically the sad truth in big corporations that only make software for themselves. But I doubt it is different in software companies that actually sell the software they produce.

It will "catch" on

The moment when someone with little real experience is tasked with designing a "testing methodology", they will look around the internet an choose an "industry standard". They have seriously tried to implement something like that at my current gig (due to gov regulations), and the results are hilarious. I wrote an application last week, this week I'm doing the design of the application, and I will hopefully have requirements by the end of the week. Yep, in that exact order...
Ohh, and they also forgot to have a real testing phase (as opposed to the validation phase), so now the Q&A people only do testing (in a clandestine way of course, since it's not part of the process) when they're not too busy documenting the process.
So the end result is a mix of a dysfunctional procedure and just plain sneaking things in under the radar to try to get anything done.

Re:It will "catch" on

[uncqual]

Wait... I thought Healthcare.gov was coded long ago. Are you working on version 2?

I see a bunch of whiners

[sirwired]

It seems as if their chief complaint is that they were not asked to provide input, and the personal communications with members of the committee didn't go anywhere. That's not how the standards process works (I'm speaking from the IEEE perspective, anyway; don't know how ISO works)... your organization (at least from the IEEE end, this is open to pretty much anybody that can muster up the nominal dues) signs up to be on the standards committee, you pay a nominal fee to be included in the working group, and Pow! Your organization is now a full voting member for the standard.

If you don't sign up for the working group, then it should be no surprise that your input is considered entirely optional and/or ignored entirely.

In the first article, the author describes a management course where a group was supposed to form a consensus. He complains that he disagreed with everyone else, wouldn't change his mind (because of his self-proclaimed "high-standards"), and was therefore excluded from the final output from the group, which then was reported to be a consensus. He disagreed that there was a consensus at all, since he didn't agree with it. That's not how "consensus" works; it does not mean that everybody will be satisfied with the outcome, or even want to be associated with it. He goes on to complain that the ISO process requires "consensus", but since he, and like-minded individuals, disagree with the standard, it should not be cleared as a standard.

Again, not how consensus works. In a consensus process, the majority approve of whatever the final output is, and the objections of the dissenters are noted and made available as part of the standards record. You can look on the website of pretty much any standards organization and access drafts, comments, meeting minutes, presentations, the whole works. This full record can help potential adopters of the standard decide if they want to utilize it or not.

Re:I see a bunch of whiners

If you don't form industry consensus then don't expect a consensus of a minority of people from that industry (working on a standard) for it to be meaningful to the industry as a whole, regardless of who is to blame. This will be another dead standard no-one uses at worst or at best, another checklist item in the list of certifications some stakeholder somewhere wants but no-one actually cares about... and I speak of this as someone who has worked with a working group who developed a standard no-one cared about for the same reasons.

Re:I see a bunch of whiners

[michaelbolton]

Would you agree that consensus gained by attrition and rent-seeking should be used to determine the way things are done in health-, safety-, or finance-related enterprises upon which you, your loved ones, and your nest egg depend? Are you saying that IEEE/ISO working groups should ignore what's going on in the world because the process is designed to favour those who are driven by profit, but who do not have skin in the game? http://www.developsense.com/bl... ---Michael B.

Re:I see a bunch of whiners

[michaelbolton]

"After complaining about click-baiting laden titles, in your own writing at the link you provided, that's a pretty ironic statement." It's not a statement. It's a question, rhetorically delivered, that addresses a legitimate concern. Here's a fun game for the whole family: go to LinkedIn, and do a search for the string "29119". Note the preponderance of consultancies that offer services in interpreting and explaining 29119. Have a look at the constituency of the working group; note the overlap between those companies and those who are enthusiastic suppliers to the ISTQB certification mills. Have a look at the minutes of the meetings of the working group, and look for phrases like "marketing the standard" (rather than, say publicizing the standard). Are you really trying to claim that your business and yourself have no financial motivation in your actions? Or do you do all of your consulting gratis, merely on principle alone? That's another FAQ. “In one sense, it won’t make any difference to my business if 29119-1, 29119-2, and 29119-3 are left to stand, and if 29119-4 and 29119-5 move from draft to accepted. Rapid Software Testing is about actual testing skills—exploration, experimentation, critical thinking, scientific thinking, articulate reporting, and so forth. That doesn’t compete with 29119, in the same kind of way that a fish restaurant doesn’t compete with the companies that make canned tuna. We object to people manipulating the market and the ISO standards development process to suggest to the wider world that canned tuna is the only food fit for people to eat. I discuss that here: http://www.developsense.com/bl... “In another sense, 29119 could be fantastic for my business. It would offer me a way to extend the brand: how to do excellent, cost-effective testing that stands up to scrutiny in contexts where some bureaucrat, a long way away from the development project, was fooled into believing that 29119 was important. At the moment, I’m happy to refer that kind of business to colleagues of mine, but I suspect that it would be something of a gold mine for me. Yet still I oppose 29119, because what’s in my interest may not be in the interests of my clients and of society at large. “Let me be specific: There are existing standards for medical devices, for avionics, and the like. Those standards matter, and many of them are concise and well-written, and were created by genuine collaboration among interested parties. Testers who are working on medical devices or on avionics software have a limited number of minutes in the working day. As someone who flies a lot, and as someone who is likely to require the help of medical devices in the foreseeable future, I would prefer that those testers spend as many minutes as humanly possible actually investigating the software, rather than complying (authentically, pathetically, or maliciously) to an unnecessary standard for process modeling, documentation, and strategizing (a standard for developing a strategy—imagine that!). "You are free to ignore this standard" Yes, of course I am... until it creeps into regulation as the NIST points out in the second-last paragraph here: http://www.nist.gov/standardsg... ---Michael B.

Re:I see a bunch of whiners

[thegarbz]

That's not how the standards process works (I'm speaking from the IEEE perspective, anyway; don't know how ISO works)...

Typically when a multi-agency standard is published then one agency will do the lifting and the others will change the title and publish away with a unified number scheme. You'll find one of those agencies (I bet it will be the IEEE) has the working group and the other two agencies will have a couple of members on the review panel and that's it.

ISO/IEC 29500

[fustakrakich]

ISO? Who are they?

Re:ISO/IEC 29500

[pjt33]

International Social Outcasts.

Can it be a *useful* standard

[g01d4]

The Bolton-Christie argument, to me, boils down to: you can have too much of a good thing, e.g. documentation. This can impose unnecessary costs and defeat the purpose if, following the above example, onerous documentation doesn't get read. Too much of a standard means unnecessary cost goes out to the standards industry (rent seeking).

Re:Can it be a *useful* standard

[michaelbolton]

That's certainly an important point. There are others. To me, the issue not just the cost of preparing the documentation, but the degree to which compliance with the standard displaces the goal of actually testing the product or service. A moment that a tester spends on useless documentation is a moment in which she's not focused on identifying risks and finding problems that would cause loss, harm, or annoyance. http://www.developsense.com/bl...

Re:Where is the standard?????????

[Mostly+a+lurker]

I guess the website's testing process failed to catch the edge case where someone wanted to navigate past the home page.

but how many tests?

[pr100]

Whilst unit testing is a good thing in general it's actually hard to know how many tests to write. Whilst it is in theory possible to write tests for most things, it's completely infeasible to a priori write tests every for possible interaction with any reasonably sized bit of software. In practice everyone ships code with gaps in the test suite.

There are contexts in which we should be formally proving the correctness of code. This tends to be a niche thing tho' because it's hard and time-consuming.

Re:Where is the standard?????????

[TechyImmigrant]

You have to pay.

Consensus? You have to be kidding...

[NReitzel]

The free dictionary (by Farlex) defines consensus: 1. An opinion or position reached by a group as a whole.

That's very democratic. Unfortunately, reality is not democratic.

Software testing is designed to unveil real vulnerabilities and errors in a complex system. Having a bunch of people hold up their hands and say, "Is this a problem?" is flatly ludicrous. In point of fact, it's the error that isn't noticed by the majority that constitutes the deepest problem. Remember the Columbia shuttle? A group of people got together and came to the concensus that the ice impact at launch was not a problem.

Testing, by it's very nature, is not subject to regimentation. It's a lot like "Job Descriptions" -- in real terms, establishing a job description is publishing a whole list of things that don't need to be addressed. Why does anyone think software testing will be different?

"Your piece of software has problems." "No, it doesn't. We fulfilled the standard for testing."

Giveth me a break.

Only $775 to read the first 3 parts

[daverk]

First 3 parts of 29119 cost $775, the total for all the parts when they are finished will probably be around $1200. This seems to be more about money than anything else.

Of course you can have a standard

[geekoid]

You may have to extend it in some cases, but that's normal.

Re:Of course you can have a standard

[iain.mccowatt]

I don't argue that /you can't have a standard/. Clearly you can. ISO have written one. It's a fact. What I /would/ argue is that standardizing a response to something that is highly variable is a fool's errand. "Introducing defects" isn't standardized, why should their detection be?

Re:Of course you can have a standard

[yorgo]

This.

Testing is essentially "evaluating a product via experimentation". While experimentation certainly requires plenty of scientific rigor, it also requires plenty of creativity, as well. And trying to standardize creativity is unwise. There simply is no "one size fits all" way to test. Extended, or not.

On standards

[mr_mischief]

The best known standard quip about standards itself has multiple versions and attributions. How meta:

"The nice thing about standards is that you have so many to choose from." - Andrew S. Tanenbaum, Computer Networks, 2nd ed., p. 254

"The nicest thing about standards is that there are so many of them to choose from." -- Ken Olsen

“The wonderful thing about standards is that there are so many of them to choose from.” -- Grace Murray Hopper

See also:

Obligatory (but who set that standard?): xkcd : Standards
Why are there so many plugs and sockets?

‘Mediocrity finds safety in standardization.’ -- Frederick Crane
‘It is not enough that X be standard, it should also be good.’ -- Rob Pike (Window Systems Should Be Transparent)
The two above can be found on the cat -v page on standards"
"Standards are like toothbrushes. Everybody wants one but nobody wants to use anybody else’s." -- Connie Morella

Then participate!

[sirwired]

Firstly, I'm not going to answer stupid leading questions. What is this, some kind of sound-bite-driven political debate?

If you don't like the way the standard is going, you form an organization of like-minded individuals and join the working group. Spread amongst a group of people, the costs are not that extreme, nor the commitment that dire.

And I don't the ability of education providers and consultants being able to advertise "We teach/use the XYZ Standard" as being some sort of nefarious plot. If you are looking for advice on something, being able to have a decent idea what you are going to learn about without extensive interrogation and negotiation can be quite useful for both parties.

The signing of an online petition is guaranteed to be utterly and completely ineffective... the costs of actual participation are so low, it's not entirely unjustified to ignore an online petition as anything other than an isolated group. There's a process to get heard on the issue, and internet petitions, and combative communications with those involved are not it.

I read that petition: "Because the people that signed this petition who couldn't be arsed to participate in the process disagree with the standard, consensus is not possible." How was THAT every going to go anywhere? "Consensus" is not reached (or not reached) by waiting until any schmoe with an axe is satisfied; consensus is reached when the committee votes on a standard and approves one. And yes, sometimes consensus cannot be reached, and the standard simply dies... that's a perfectly valid outcome too.

Re:Then participate!

[michaelbolton]

If won't respond or consider those kinds of questions, your point of view is suspect at best, and you open yourself to being controlled by people without legitimate authority. Which is interesting, because often the people who complain most lustily about government waste are willing to let this sort of commercial power grab slide. There's no point in joining the ISO Working Group when the process is set up to suppress opposition and dissent. What we're trying to establish here is that the ISO's whole process is illegitimate, and that we do not recognize the authority of the ISO. Remember: the issue here is not only advertising or marketing for stupid certifications to a stupid standard. A more important issue here is waste of both public and private funds by manipulating the levers of regulation. I'm willing to answer the objections you've raised; you're free to ignore my points. From my FAQ: Q. If ISO 29119 is so terrible, won’t it disappear under its own weight? Yes, it probably will in most places. But for a while, some organizations (including public ones; your tax dollars at work, remember) will dally with it at great cost—including the easily foreseeable costs of unnecessary compliance, goal displacement, misrepresentation of testing, and yet another round of marketing of bogus certifications, whereby rent-seekers obtain an opportunity to pick the pockets of the naïve and the cynical. Q. Do you really believe that ISO 29119 can be stopped? No, of course we don’t. Curtis Stuehrenberg puts it perfectly in a discussion on LinkedIn: “The petition is not about stopping the publication any more than an anti-war march is about a reasonable expectation of ending a war through a parade. The point of the petition and the general chatter is to make sure at least some people hear there is a significant portion of the testing community who was not represented and who espouse different viewpoints and practices for software testing as a professional discipline.” If we can’t get the standard stopped by the ISO’s mechanisms, at least we can show that there is an absence of consensus outside of the 29119 working groups. Q. Why didn’t you object using the formal process set up by ISO? As James Bach points out, the real question there has been begged: why should the craft have to defend itself against a standards process that is set up to favour the determined and the well-funded? ISO is a commercial organization; not an organ of the United Nations, emanating from elected representative governments; not an academic institution; not a representative group of practitioners; not ordained by any deity. The burden is on ISO to show the relevance of the standard, even under its own terms. Simon Morley deconstructs that (http://testers-headache.blogspot.ca/2014/08/iso-29119-questions-part-1.html). And from my earlier blog post on the subject: If you want to be on the international working group, it’s a commitment to six days of non-revenue work, somewhere in the world, twice a year. The ISO/IEC does not pay for travel expenses. Where have international working group meetings been held? According to the http://softwaretestingstandard... Web site, meetings seem to have been held in Seoul, South Korea (2008); Hyderabad, India (2009); Niigata, Japan (2010); Mumbai, India (2011); Seoul, South Korea (2012); Wellington New Zealand (2013). Ask yourself these questions: How many independent testers or testing consultants from Europe or North America have that kind of travel budget? What kinds of consultants might be more likely to obtain funding for this kind of travel? Who benefits from the creation of a standard whose opacity demands a consultant to interpret or to certify? Meanwhile, if you join one of the local working groups, there are two ways that the group arrives at consensus. 1) By reaching broad agreement on the content. (Consensus, by the way, does not mean unanimity—that everyone agrees with the the cont

On "concensus"

[DutchUncle]

"It sometimes happens in a people amongst which various opinions prevail that the balance of the several parties is lost, and one of them obtains an irresistible preponderance, overpowers all obstacles, harasses its opponents, and appropriates all the resources of society to its own purposes. The vanquished citizens despair of success and they conceal their dissatisfaction in silence and in general apathy. The nation seems to be governed by a single principle, and the prevailing party assumes the credit of having restored peace and unanimity to the country. But this apparent unanimity is merely a cloak to alarming dissensions and perpetual opposition." - Alexis de Tocqueville, published 1831

Curse my typos!

[sirwired]

*And I don't see how the ability*...
*ever*
*not reached (or failed to be reached)*

Re:Curse my typos!

[michaelbolton]

While we're at it, how do we suppress Slashdot's dastardly tendency to eat my lovely hard returns?

Re:Most likely against it...

[michaelbolton]

"Most of the people likely against it probably had or already have no intention of testing their shit software in the first place!" You are spectacularly wrong about that. Apparently you probably had or already have no intention of testing your theory; not even by the most cursory reading of any of the materials referred to at the beginning of this thread.

CAPA vs. Barrier to Entry

[retroworks]

Most people don't understand the compliance. There's good and bad, but there's no going back once your industry (candle makers, software writers, barbers, whoever) adapts a standard it invariably becomes a tool of an authority.

Good: What I like about it is that our certifications increase accountability by encouraging recording mistakes. The "routine" of flagging mistakes and finding root causes and formalizing "corrective and preventative action" has been good and improved our company.

Bad: These standards are adapted by many companies in order to reduce competition, take away via consensus unique individual methods for doing things. They become almost like a "union", punishing individual innovation via auditors that view the world inside a "box". Uniqueness and innovation are an increased cost and risk to the third party auditor, and the auditor is ready to adapt the majority interpretation - which is usually to increase barrier of entry into the field of competiton.

As Morris Kleiner, the AFL-CIO chair in labor policy at the Humphrey School of Public Affairs at the University of Minnesota, put it "Occupational licensing has either no impact or even a negative impact on the quality of services provided to customers by members of the regulated occupation."

Re:Standards Committees on Common Sense

[michaelbolton]

I agree. Please help us in a tiny way by signing the petition. http://www.ipetitions.com/peti...

You really don't get it...

[sirwired]

First, I refused to answer those questions not because I bow down to suspect authority. (Where did THAT come from?) I refused to answer them because they are stupid. Of course the answer is "no", but that answer establishes nothing, because the questions imply conclusions that themselves are up for debate. If this is the way you and your like-minded compatriots engage in debate, no wonder you can't get anybody to take you seriously.

And I keep seeing this claim that the ISO process is set up to "suppress opposition and dissent"... but the only specifics ever mentioned is that the process takes a while and has meetings outside North America. Is that the best you can come up with?

To answer some of your points:
- Most technical standards organizations are private. IEEE, ANSI, SAE, IEC, UL, IIHS, IETF, W3C, ASTM, etc., are all private. (Not to mention tech-specific ones like the ones over Compact Flash, USB, Infiniband, etc.) Arguing that the ISO is illegitimate merely because it isn't a government agency is not likely to be persuasive. (And as a side note, the ISO was set up at the behest of the UN and is tightly coupled with them... it's not a UN agency like the ITU, but it might as well be.)
- I'm not aware of any standards organization (professional societies like the SAE and IEEE included) where standards are put out to vote by "a representative slice of practitioners"; they are all voted on by those that chose to participate in the standards process.
- Arguing that it's controlled by a bunch of money-grubbing consultants and trainers AND that it's rammed through by attrition is a contradiction. Stretching out the process indefinitely is exactly opposite to the goal of making money off the standard, since nobody makes money off a standard that doesn't exist.
- It's not deliberate attrition just because it takes longer than you'd like.
- Yes, the burden is on the ISO to demonstrate relevance of its standards. But once they have successfully done so to an organization and that organization comes to you for your services, objecting with nothing more than you "shouldn't have to defend yourself" is not likely to get you hired.
- If such a significant number of professional testers object to the contents of the standard, why could they not scrape up the funds necessary to participate in the standard? Even with meetings held in distant locales, on a per-person basis, it doesn't come out to much. (And could you not find any software testers in India, Japan, etc. that are like-minded to save on travel expenses?) If you want to be taken seriously, you gotta put your money where your mouth is...
- Again, consensus doesn't mean "everyone agrees that they can live with the content", it means that a majority (or super-majority, depending on the rules) approve of the content. If a single "no" vote could prevent a standard from being approved, we'd never have any standards at all (imagine if the Ethernet standard could have been completely halted by IBM signing up for the IEEE committee and voting "no" so it could push Token Ring instead.) This is not a difficult concept to understand, nor does it rise to "suppressing dissent".
- Like it or not, refusing to participate in the standards process does not bode well for arguing that there's "significant" objections to the standard, since those objectors could not be bothered to show up when it came to deciding on the content. (An online petition? Seriously? That's supposed to persuade anybody?)

Re:You really don't get it...

[iain.mccowatt]

It seems to me that those participating in development of a standard would be predisposed to standardization - believe that a standard on a given topic is appropriate. It also seems to me that the converse is true - that those who object to the existance of a standard would not be predisposed to participating.

Many of the objections raised to ISO29119 do not relate to it's content, but to its existance. For example, 1) the silliness of standardizing the response to variable / unpredictable demand (standardize the finding of bugs when the writing of them sure isn't standardize?) 2) testing being a young disciple which we are all still learning about, and the threat that standardization poses to further innovation 3) the opportunity cost represented by following a compliance driven, document and process heavy approach, and the correponding harm to test efficiency, effectiveness and ultimately to software quality.

Why should those who oppose the standard's very existance on such grounds partipate in its design, and negotiation as to its content? That's kinda like saying "I don't beleive in beating kids, so I'm going to help write the standard on how to administer corporal punishment in schools".

Re:What Moolya thinks of it

[yorgo]

That is a damn fine blog post. Very well said...