Does CMM level 5 mean that a system is save from fraud? 2

[Crox]

I hear banks here in Holland saying that CMM level 5 companies working on their systems means that the sources can not contain harmful or criminal code or code from terrorists. Do you agree? I also hear that Microsoft works with companies with CMM level 5. But I know their sources are never without any error. How does this match the CMM level 5 thinking? How is this possible? So what is the big deal with CMM level 5 and how save are with with it?

 

[johnherman]

This question probably belongs in the

Software Engineering Institute (SEI): CMM / CMMI Forum

but I will answer it here for you. CMM Level 5 means that the company has a repeatable, documented process for testing and delivering software, and can adapt that process as changes require. CMM Level 5 does not guarantee anything. The fact that there is a controlled, proven process greatly helps reduce the likelyhood of error.

Sometimes the grass is greener on the other side because there is more manure there - original.

 

[BNPMike]

This come back to the classic arguments about 'error'. CMM5 is more likely to deliver code that does exactly what it was asked to do. However that doesn't mean it's without problems. Microsoft's biggest issue at the moment is code that can be forced to do other things as well, by virus writers. CMM5 has no answer to that. All it can do is include ever more subversion cases in its testing, but it can't anticipate functionality outside that provided by the designers.

As for "sources can not contain harmful or criminal code or code from terrorists" - a CMM5 supplier will have more checking to ensure an individual does not carry out criminal activity but there are other better ways of doing that.

 

[Crox]

see also the discussions at:

http://www.greenhousecafe.com/cgi-bin/ubb6/ultimatebb.cgi?ubb=forum;f=25