INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Does CMM level 5 protect against fraud?

Does CMM level 5 protect against fraud?

(OP)
The story starts about outsourcing and risks:

Y2k-date problems, with not on purpose hidden difficulties were difficult enough to handle. We solved the problems and everything went ok. But now there are companies that want to outsource that have to deal in the near future with hidden criminal or terrorist features in their outsourced programs. Why? Several reasons.
 
- Nowadays the business within the bank are divided into departments. The automation of the departments is divided the same way. The authorization is department-dependend. So nobody can control all the sources. Also testing is done by a seperate department. When outsourced, all the sources are in one hand, all the authorizations are in one hand. Offshore programmers earn only 1 dollar an hour. It is not so difficult to find some of them whom want to make copies of the sources and/or make updates on demand of criminals.
 
- Many big banks work with black-box testing. It is impossible to proof that the software is right that way because to determine that the software makes an exception for one of the possible input-messages or -records, is not determinable within a lifetime because of the huge amount of possibilities.
 
- Outsource companies or their employees will have lots of time to prepare criminal functionality. That functionality can be to react in a certain way on queries which are input from a call-centre. Just by calling the company a criminal or terrorist can start the first part of such a criminal or terrorist activity. It can take weeks or months before all the subsystems needed are stand by before they make money available for the criminals. It can take also months before anyone understands how it happened because previous tracks will be erased. In the meantime it is not clear how to get the control back to the bank. If they stop their systems, the bank will be bankrupt; if they don't stop it, money will continue to be transferred to the wrong accounts.
 
- Even terrorists can sabotage the software.
 
The strange thing is that the upper management of many financial companies don't understand what trouble they will get if they outsource completely but that is exactly what they are planning at the moment.
 
I hear banks here in Holland saying that CMM level 5  companies working on their systems and the Indian culture - "they are not crimanal at all there..." means that the sources can not contain harmful or criminal code or code from terrorists. Do you agree?

I also hear that Microsoft works with companies with CMM level 5. But I know their sources are never without any error. How does this match the CMM level 5 thinking? How is this possible? So what is the big deal with CMM level 5 and how save are financial institutes that are completely outsourcing their maintenance on their system with it?


RE: Does CMM level 5 protect against fraud?

CMM assures a defined development process. It doesn't assure the honesty of the developers, or the correctness of the code (this in the sense that CMM requires management of requirements, but how does one create a requirement that the app (for instance) not have a backdoor? Hard to specify, and hard to test for).

Pat O'Connell

RE: Does CMM level 5 protect against fraud?

(OP)
Thanks for this aswer!

Others told me that with cmm level 5 you can assure that one can repeat creating errors.

Also ideal to control newbees.

Microsoft let parts of their software develop by cmm level 5 companies. So this is why we are all so familiar with a BOD?

Regards,

   Crox

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close