I’ve seen some discussion on Twitter about wording changes in 1.2. In particular, the 1992 Code says
To minimize the possibility of indirectly harming others, computing professionals must minimize malfunctions by following generally accepted standards for system design and testing.
while Draft 3 says
To minimize the possibility of indirectly harming others, computing professionals should follow generally accepted best practices.
So “standards” becomes “best practices” and “for system design and testing” was removed.
I believe the intention was to actually strengthen the language, not weaken it … it would be helpful for other people to chime in and let us know what you think.
Here is my rationale:
- Following “best practices” includes following “standards.” If there was a major malfunction with a piece of code, and it turned out that this was because one had not followed a standard, then I would say that code had not followed best practices. All else being equal, following best practices require following standards. Note, of course, that all is not always equal. You could cook up a scenario where the standard is wrong, but that doesn’t invalidate my point, it reinforces it: In that case the best practices agreed to by the community may be to ignore the standard, and that could be the right thing to do in that specific scenario.
- Following “best practices” is always required, not just in system design and testing. At one point we had a laundry list of everything we could think of “system design, testing, maintenance, implementation, data processing, …” So the intention of deleting “system design and testing” doesn’t mean you no longer have to apply best practices to system design and testing, it means you must also apply it everywhere else, too.
- “Best practices” does not mean “what everyone else is doing.” If every were writing safety critical software in assembly language, or using okay++ instead of okay = true, that does not make it a best practice. My feeling is that “best practices” emerge from consensus of the specialists in that particular area. Not being a specialist in security, I would look to experts in that area to inform me about best practices, and then I try to use those best practices in my code, whether or not it is dictated by a standard.