OPEN SOURCE
The legal stumbling blocks
>> Page 22
# 01_2008
Q A U Lity
LONDON OR NEW YORK?
Global stock markets head to head
>> Page 24
TOP Of ThE LEagUE
Geneva portrait of a city
>> Page 32
Seamless system
SaP
and quality
>> Page 8
1 SQS / QUALITY # 01_08
Pure German
stopping power.
The ContiSportContact 3
with very short braking distances.
w
w
w
.
c
o
n
t
i
n
e
n
t
a
l
-
c
o
r
p
o
r
a
t
i
o
n
.
c
o
m
Conti Sommer_08_210x280_engl.ind1 1 13.02.2008 9:43:14 Uhr
EDITORIaL
achieving success with SaP
If it says SAP
customers rely on
if they want to ensure the quality of the standard software within their own company?
The answer, as so often, can differ, depending on the circumstances (page 15).
In addition to SAP
systems 12
Effective testing of SAP
solutions 15
Interview with Thomas Mangel (Postbank Systems)
on SAP
Cer-
tied Tester standard (Editors note: now
ISTQB
Certied Testers,
Foundation Level. After the course the
participants are familiar with the basic
principles of software testing. They are
able to use the general test process and
have been familiarised with activities and
techniques needed to support all phases of
the process.
SQS sets up homeshore
test centre in Grlitz, Saxony
SQS Software Quality Systems AG opened
a software test centre in Grlitz, Saxony, at
the beginning of 2008. Tis means that SQS
has established an alternative to convention-
al oshore locations. Te team was initially
launched with just over 30 test experts.
Within ve years the number of sta is
expected to rise to three gures.
In addition to the advantages commonly
ob tained from outsourcing, such as exible
access to labour resources along with favour-
able terms and prices, the homeshore test centre
in Grlitz offers services in German across the
board for the German-speaking market. SQS
is training the staff of the Grlitz test centre
to be certied testers in accordance with the
standards set by the Inter national Software
Testing Qualications Board (ISTQB
). To
date, more than 60,000 testers have been
trained and tested in conformance with this
globally recognised training and further edu-
cation scheme.
The test experts main roles will be to verify
technical concepts of IT systems, prepare
and perform functional tests and set up and
maintain automated tests. For this, they make
use of systematic procedures of software quality
assurance that detect inconsistencies, omis-
sions and contradictions at an early stage and
document them. Testing is actually performed
by way of remote access to the customers par-
ticular systems. Web-based tools provide the
customer with all the up-to-date information
about the status of the test activities and any
identied deviations, either in real time or at
periodic intervals.
flexible price models
The price model to be used in each case is
agreed between SQS and each customer on an
individual basis. Depending on requirements,
SQS can bill for the work performed, the
number of test cases processed or the number
of technical concept pages tested. SQS also
offers what it calls test points as a possible
alternative price structure based on testing
activities achieved.
When you have large, critical software
systems, which are also constantly being
modied, it is worth using systematic and
auto mated testing, says Rudolf van Megen,
Chief Executive Ofcer of SQS AG. Test
automation reduces maintenance costs consi-
derably. SQS has set up the new test centre in
Grlitz, he says, for the purpose of performing
and maintaining both manual and automated
tests cost-effectively. As well as that, the Gr-
litz specialists will be carrying out the automa-
tion of software tests themselves.
When it came to selecting the location, Grlitz
ultimately came out ahead of competitors such
as Stralsund and Greifswald. The advantages
in its favour were the motorway and the vicini-
ty to Dresden airport. In addition, the univer-
sity and the Educational Centre for Informa-
tion Processing Professions (b.i.b.) provide a
good source of well-qualied new employees.
Further information is available from:
www.sqs.de
4 SQS / QUALITY # 01_08 5 SQS / QUALITY # 01_08
Discover how to reach
new standards of testing
With innovative tools and techniques, developed from hundreds of
projects, Cognizant helps you deliver increased value to your business
by accelerating testing, increasing software quality and lowering costs.
Our state-of-the-art testing centre, staffed by thousands of dedicated professionals,
delivers adaptable testing methodologies and streamlined test management
processes to deliver predictable and reliable results every time.
Cognizant Technology Solutions
Torhaus Westhafen
Speicherstrasse 5759
60327 Frankfurt am Main
Germany
Tel: +49 69 2722 695-0
Email: sales.de@cognizant.com
www.cognizant.com
Consultancy
Functional Testing
Performance Testing
Test Automation
Managed Test Centre
VISIT US ONSTAND 38 AT
THE SOFTWARE & SYSTEMS
QUALITY CONFERENCE
16-18 APRIL, DUSSELDORF
NEWS NEWS
ireland goes from
strength to strength
SQS Software Quality Systems Ireland
achiev ed record growth in 2007. Te number
of consultants based in Ireland and Northern
Ireland doubled during the year 2007 and
large customer projects increased as well as
the number of new customers contracting for
long term work.
Stephen Magennis has joined Derry ORiordan
on the Irish sales team, covering both Northern
Ireland and the Republic of Ireland.
Northern Ireland Business Unit Director, Rob
McConnell has been growing the business from
our Belfast ofce with an increasing number of
clients and aggressively hiring new consultants.
We have added a number of new services to
our ever-expanding portfolio of services.
Among these new services are: Vista Migra-
tion, Requirements Validation, Quality Project
Management, Offshore Testing, Test Environ-
ment Management and SAP Testing.
SQS South Africa enjoys over
100 per cent growth in 2007
Te South African branch of SQS Software
Quality Systems AG recorded runaway
growth last year. While sales roughly dou-
bled, the number of employees working there
rose from about 30 at the end of 2006 to 90
in December 2007.
David Cotterell, Chief Executive Ofcer of
SQS for the United Kingdom, Ireland and
South Africa (SQS-UKISA), expects growth
to continue at the same pace this year too.
The team in Durban achieved 40 per cent
of its sales through offshore projects for
European clients and almost a third of the
services were provided locally to South African
customers.
Current offshore projects include working
for major nancial and telecommunications
service providers in Switzerland and for soft-
ware vendors and a large international law
rm in the UK, among others. The main tasks
taken on by the SQS experts include functional
and performance testing, automated regression
testing and specifying business requirements
for software development.
The customers making use of our offshore
capacities have made considerable efciency
gains and reduced their costs, says David
Cotterell. We will now be doing more to
spread this message among those customers
who have not yet embraced offshore testing.
aDVERT
Process and product quality
from a single source
In the new Process Intelligence (PI) Com-
petence Center, SQS has established a coun-
terpart to the Application Intelligence (AI)
team. Since the beginning of 2008 the PI
specialists have provided services for process
analysis and improvement.
In our projects we have regularly found that
product and process quality are two sides of
the same coin, says Detlef Vohwinkel, who
heads the new Competence Center. That, he
says, is why SQS has, with PI and AI, set up
two service groups that have emerged from the
previous Code Quality Management and IT
Process Quality teams. They might be sepa-
rate in their positioning but they frequently
collaborate in projects. The two areas are also
growing together methodically, Vohwinkel
says.
Vohwinkels team carries out as-is analyses
of processes for both in-house and third-
party software such as in connection with
a supplier evaluation. Conversely, SQS experts
can also investigate whether a principals pro-
cesses are ready to take on development work.
Apart from analysis, the service team also pro-
vides advice on process improve ment up to
and including the management of Software
Process Improvement (SPI) projects. Finally,
SQS provides rollout support for SPI projects
such as training courses.
The PI team uses all major process models
from ISO 9001:2000 via ISO 15504 or
CMMI
systems has
been initiated, managed by Peter Wilkinson
and Gary Jenn. This country-wide support
centre is delivering specialised services to
SAP
at SQS
Dr. Vincenza Pignataro is the new head
of product management for test tools and
Philipp Gerber is taking over as head of the
new SAP
Center of Excellence,
Philipp Gerber is, for
the rst time, bund ling
the companys SAP
competence from all
over Germany. The
new centre will
link in-depth SAP
ex pertise and our
quality assurance know-how, Gerber says.
For this purpose the new team will, in addit-
ion to personnel expansion and the new part-
nership between SQS and SAP
, enhance its
service portfolio. The focus will be on best
practice solutions that we align to our custom-
ers specic requirements, he says.
Gerber, a physics graduate, joined SQS from
Deutsche Post. At logistics service provi-
der Deutsche Post he was in charge of SAP
projects in the letter post division, managing
SAP
.
You can never completely rule out external threats, but in basic terms,
the threat always depends on the specic nature of the business and the
Why security must complement quality
Interview with security expert Sachar Paulus from SaP
political relevance of the company. There is no cure-all for this. The best
thing to do, however, is to implement a standard for security manage-
ment, for example ISO 27001. The risks can be analysed in accordance
with its process instructions and appropriate measures instituted.
Which typical situations do people like you, in charge of security,
experience in your day-to-day work?
When, for instance, I am preparing the regular security report for
the Executive Board, I always consider to what extent I should limit
myself to the actual incidents and disturbances and whether I should
also broach the open-ended issues that represent a potential risk. In this
situation, many of my colleagues opt to dispense with the open-ended
issues.
If they then speak to heads of department and advise of the fact that
insecure software is being used in their area of responsibility, they often
get the reply that everything is working smoothly and that they have
been unable to pinpoint any problems. Moreover, they say that they rely
on certain applications such as Skype, which should not be switched
off for this reason. (Editors note: Skype is a small software program
that you can use to phone other Skype users worldwide at no cost.) But
even in the case of the Executive Board, security requirements are often
limited simply to the request for additional rewalls.
How can you better communicate the importance of a wider apprecia-
tion of security, particularly to management?
We have to nd a language that management understands. Nowadays it
is often still the case that a lot of money is invested for security reasons
in technologies that are meant to protect software, but which do not
solve the problem effectively.
To nd the right solution at the right time, the management needs reli-
able information and measurable facts. We need continually collected
data on the security of software. This is the only way the people in charge
can arrive at decisions that are not based primarily on a gut feeling.
How can security actually be measured?
Security cannot be depicted in simple black-and-white or yes-no cate-
gories that apply equally in all instances. First of all we have to be clear
10 SQS / QUALITY # 01_08 11 SQS / QUALITY # 01_08
STRaTEgY STRaTEgY
in our minds about the fact that there is no such thing as 100 per cent
security. Instead, companies must make decisions about what kind
of security is important for them, which security level they want to
achieve and what price they are prepared to pay for this. Any such
analysis is always based on the companys business objectives. Based on
these, indicators can be derived which can be used to measure security.
What relationship exists between security and quality?
Security and quality are mutually dependent: they are complementary
in a certain way. Security is all about ensuring that the product only
includes functions whose specications have been predened and that a
software program doesnt do anything that you dont expect of it. This
is, so to speak, the negative denition of the minimum level of security
that you create in a software application.
With quality on the other hand, in simplied terms, it is about meeting
the predened quality objectives and achieving all standards set. This
then is a positive denition: the software does everything you indeed
expect of it.
How can companies align security and quality with their business
requirements? What approach do you recommend?
Id like here to draw a distinction between two different target groups.
First, there are software manufacturers, and then there are software
users. The IT providers need clearly dened security standards for their
products. They have to ensure the provision of secure coding and carry
out all these steps in accordance with current best practice.
The manufacturers also have to have processes with which they can
address security issues as soon as they arise but above all before they
become virulent. Still, as already said, you can be 100 per cent certain
that you cannot achieve 100 per cent security.
For users, on the other hand, the rst and most important point is a
clear denition of their requirements. On the basis of these, they can
then evaluate the software and services they want to use in the various
areas of their company. In the end, the responsibility for the security of
certain products and services must be clearly regulated and assigned to
employees with specic responsibility for this.
Security is measurable
What can security experts learn from quality specialists?
They can learn the usefulness of metrics and how best to apply them.
Here, we can benet from the many years experience gathered by
the testing and quality experts in analysing and evaluating software
code. By this I dont mean only pure system measurement but also the
denition of programming guidelines and how adherence to these can
be checked.
Which trends and challenges in the world of IT will security experts
have to prepare themselves for in the future?
We will have to learn to deal with increasing complexity. This is coming
about, for example, through the so-called Internet of Things, that is,
the increasing inclusion of everyday objects in electronic networking.
This is increasing the ubiquity of electronic communication enorm ously
the key phrase here is ubiquitous computing. With this, bound aries
and limitations are playing an ever-smaller role. Accordingly, ever more
security risks which hitherto were limited to the IT domain are also
reaching other areas in the world of work and everyday life.
Industrialise security
In these instances, security specialists must step in, as we are at a water-
shed. The more complex the applications become and thus also their
security risks, the more we have to standardise and industrialise security.
And for this we need reliable data that records security better, quantita-
tively and qualitatively, and makes it more controllable than hitherto.
Professor Dr. Sachar Paulus ...
... is Senior Vice President for Product Security Governance at
SAP
strategy for
product security. He is considered a pioneering thinker in the secur-
ity community and is a member of various IT security organisations
including the Information Security Forum and the International
Security Management Association.
12 SQS / QUALITY # 01_08 13 SQS / QUALITY # 01_08
STRaTEgY STRaTEgY
Easing the burden on banking experts
Te maintenance of IT solutions such as SAP
BW and SAP
systems
would lead to shorter pro-
cessing times and parallel
trouble-shooting cycles.
External consultants from
SQS Software Quality Systems
AG lent the Mercedes-Benz
Bank a helping hand. They
contributed the idea of test
automation, drew up the
concept for the new proce-
dure and set up a pilot envi-
ronment. After it was tested
and found to be a success, the
SQS experts devised a con-
cept for its full-scale use and
implemented it.
The structure of test pro-
cesses is now geared to the
products and services that the bank provides from leasing via nan-
cing to investment business. The be-all and end-all for ensuring that
automated testing runs smoothly is the quality and structure of the test
cases supplied with the new system components. Wittmann and his
team have subjected them to stringent formal standards. As a result the
automation project led to all concerned adopting a more structured,
cross-enterprise approach. That was the only way to lay the groundwork
for smoothing the running of the test machinery.
Automation of the tests is managed mostly through the use of two tools.
TestDirector from HP (formerly Mercury) is the link that connects test
management by the specialist testers. The bank already had the tool,
but it had not been widely used. Test data is maintained and made
available through use of SQS-TEST
/Professional.
The SQS tool has the major benet of working through the use
of synthetic data and not requiring production data. In this way, previ-
ously used specialist test data can be reused in the next test. Time-travel
functions automatically set the dates required at the actual date.
In a second step the Stuttgart specialists harmonised the test proce-
dure with the specic features of the SAP
BW,
for example, works with process chains that differ from those used in
testing. To reconcile the two worlds we needed sufcient time, Witt-
mann recalls. It is not something that you can simply do in passing.
And because systems other than SAP
environment has
convinced the Mercedes-Benz Banks management.
Mercedes-Benz Bank
Services that the Mercedes-Benz Bank provides are nancing,
leasing, insurance and eet management for the Mercedes-Benz,
smart, Chrysler, Jeep, Dodge, Mitsubishi Fuso and Setra brands.
In its direct banking business the company offers overnight and
xed-term deposit investments, savings plans, investment funds
and certicates. As a nancial service provider for leasing and
nanc ing, the Mercedes-Benz Bank has acquired a fund of
ex perience over a period of more than 40 years. It began direct
banking with nancial investment and credit cards in July 2002.
The bank now serves around one million customers. In its leasing
nance core business it currently has around 800,000 contracts
with a combined volume of 16 billion. Its deposit-taking business,
with about 260,000 contracts, totals over 4 billion.
Dr. Torsten Wittmann, Mercedes-Benz Bank AG,
says, Automating software tests boosts eciency
signicantly.
14 SQS / QUALITY # 01_08 15 SQS / QUALITY # 01_08
STRaTEgIE STRaTEgY
Effective testing of SaP
solutions
Tere is now growing demand for SAP
projects.
SAP
as Head of Tech-
nology of Postbank Systems AG from entering into the contract with
SAP
through to implementation.
Deutsche Postbank is breaking ranks with the majority of the other
large banks by using SAP for its core business activities. Why?
Postbank has undergone rapid change in the last ten years developing
from a public institution into a now global bank that is a leader in retail
banking. This was in part achieved due to the companys decision in
1999 to pave the way with standard software and SAP
as the basis
for core systems for retail banking. The situation at that time favoured
this approach since the strategic plans of Postbank and of SAP
tted
each other very well. We were looking for a system that covered all the
important functions of a global bank with the emphasis on retail bank-
ing customers. At the same time, SAP
and Postbank. This was the very reason why we decided to col-
laborate with SAP
to
convert the requirements into a exible software solution.
Quite a big risk for such an important system ...
Of course, we asked ourselves this question too: could we place our
condence in something like this? The result of these deliberations was
an approach with which we fully aligned the priorities of the bank with
this project from the Executive Board to the individual employees.
In the end, were you not dealing with two projects rst, supporting
SAP in creating the standard software and then implementing the
software?
Yes, these were two logically separated parts, although there were over-
laps in chronological terms. As part of an initial phase, SAP
had to
deliver a parameterisable solution, or as SAP
from the outset in order to get to know the system at the development
stage. This insider knowledge then stood us in good stead later on at the
customisation stage.
Did SAP grasp and implement the expertise from Postbank from
the outset?
SAP
BCA, a predecessor
of the core banking system developed in collaboration with us. We were
therefore able to presume a fundamental grasp of banking software and
concentrate on the technical and operational specications.
How did you ensure quality?
Quality management (QM) was a fundamental part of the program
structure. This provided for a multi-level project hierarchy in which
QM took on a support function at the program management level.
The program manager was thus assisted by a quality manager, who,
along with his team, took on responsibility for quality across the entire
program. Of course, each individual project had its own quality objec-
tives, but at the across-the-board program level, there was one person
in charge of quality who pulled all the individual strands together, for
instance, the specications for fault removal plans and the tracing of
fault removal. Here, too, there were two stages: rst, we checked using
predened test cases to see whether the SAP
continually recruited more staff to its team of testers and set out
by rstly appointing ten Indian project managers and ten Indian system
SaP
An SAP
solutions. In their book, Testing SAP
Test
Data Migration Server, which simplies test data management. The
nal and third part of the book describes and explains performance
and load tests. The authors give an in-depth illustration of a typi-
cal performance testing procedure and provide detailed information
about the support offered by tools such as SAP
LoadRunner from
HP (previously from Mercury).
As a team, Markus Helfen and his colleagues at SAP
provide a
good, comprehensive overview of testing in an SAP
context. The
inclusion of plenty of graphics ensures the reader has a good grasp
of the subject matter, with the tool descriptions accompanied by
screenshots throughout. Beyond theory, the authors provide detailed
reports from customers on all aspects of the subject matter, offering
real-life examples. The book will provide project and test managers
with valuable information and suggestions on optimising testing.
Philipp Gerber
Markus Helfen, Michael Lauer,
Hans M. Trauthwein:
Testing SAP
Solutions. Rockville,
MD (SAP
testing
Results of the last survey
The main results of the last readers survey (subject: IT offshoring)
can be found on page 7 of this magazine.
1
st
prize Apple iPod 30 GB storage capacity
2
nd
prize Apple iPod 2 GB storage capacity
3
rd
prize Bang & Olufsen A8 earphones
Dear readers,
Answer a few questions this time on SAP
testing
and you have a chance to win.
You can nd the survey at: www.sqs-uk.com
The winners of the last survey are:
>> Michael Schrder, Postbank Systems AG (iPod 30 GB)
>> Sascha Kremer, Deutsche rzteversicherung AG (iPod 2 GB)
Congratulations!
Herbert Fandel ...
is one of the most successful football referees today. Te concert
pianist and music school director has been a FIFA-level ocial since
1998. Among the matches he has refereed are the 2006 UEFA Cup
nal and the 2007 Champions League nal. He is currently making
preparations for his involvement in this years European Champion-
ship in Austria and Switzerland.
SQC conference 2008 | Monday 29th September and Tuesday 30th September | QEII Conference Centre London
Organised by
SQC Conference 2008
Were looking to create a real buzz in 2008 with a fresh, new venue at the QEII Conference Centre. And SQC UK will be a hive of activity this
year with some fascinating speakers for what promises to be a challenging, and potentially controversial, conference theme: never too
busy the role of testing in improving productivity.
Everyone needs to pull their weight in an organisation. If a worker bee doesnt contribute to a hive, the entire colony is at risk (and no-one
gets any honey). The same can be said of organisations whose departments arent contributing effectively to the business (although honey
levels arent affected).
With insight from many industries, including nancial services and enterprise management, SQC UK will tackle this sticky subject head on
and discuss exactly what the testing community can do to boost productivity in the business space.
Be the bees knees in your company
Never too busy?
The role of testing in improving productivity.
Venue
Mountbatten Suite and
Elizabeth Windsor Room,
5th oor, QEII Conference Centre, London
Dates
Monday 29th September and
Tuesday 30th September
For more delegate or exhibitor information,
please contact the conference team.
Phone: +44 (0)20 7448 4624
Email: uk@sqs-conferences.com
Delegates
Practitioners and business delegates:
1 day: 400 + VAT per person
2 days: 750 + VAT per person
Exhibitors
There are a number of exhibitor packages
available, including sponsorship deals.