Software security is developed to address which of the following types of communication threats?
A
Explanation:
Software security is designed to protect systems and data from various types of communication
threats. These threats can be categorized as:
Intentional Attacks: These are deliberate actions taken by malicious individuals or groups aiming to
exploit software vulnerabilities for gain, disruption, or espionage. Examples include hacking,
phishing, and malware attacks.
Unintentional Attacks: These are accidental events that can cause security breaches, such as user
errors or software bugs.
Physical Attacks: These involve physical actions against hardware that can affect software, like theft
or damage.
Natural Disasters: Events such as earthquakes or floods that can physically damage systems and
cause software failures.
Among these, software security primarily addresses intentional attacks. The focus is on preventing
unauthorized access, data breaches, and other forms of cyber attacks.
Reference:
"Software Security: Building Security In" by Gary McGraw
NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and
Organizations
Which of the following activities should be classified as an internal failure cost?
D
Explanation:
Internal failure costs are costs associated with defects found before the product reaches the
customer. These costs include:
Investigation of defects: Identifying and analyzing defects within the development process.
Rework: Fixing defects found during internal testing or audits.
Scrap: Discarding defective parts or products.
Downtime: Halting production or development to address defects.
Among the given options, investigating the cause of build defects is an internal failure cost because it
pertains to finding and analyzing issues within the software before it is released to customers.
Reference:
"Quality Planning and Analysis" by J.M. Juran and F.M. Gryna
"Total Quality Management" by Besterfield et al.
Which of the following measures would a project manager use to assess the team’s progress against
the project schedule?
B
Explanation:
Earned Value Analysis (EVA) is a project management technique used to measure project
performance and progress. It integrates project scope, time, and cost data to provide accurate
forecasts of project performance.
Planned Value (PV): The estimated value of work planned to be done.
Earned Value (EV): The value of work actually completed.
Actual Cost (AC): The actual cost incurred for the completed work.
Using these metrics, EVA can help project managers assess whether they are ahead or behind
schedule and within or over budget.
Reference:
"Project Management: A Systems Approach to Planning, Scheduling, and Controlling" by Harold
Kerzner
PMBOK Guide by Project Management Institute (PMI)
What type of information should a project's configuration status accounting communicate?
C
Explanation:
Configuration Status Accounting (CSA) involves recording and reporting the status of configuration
items throughout the lifecycle of a project. This includes:
Status of Configuration Items: Information about the current state of items, including version
numbers and change histories.
Baselined Items: Items that have been formally approved and serve as a basis for further
development.
Changes and Updates: Documenting any modifications made to the baselined items.
CSA ensures that all stakeholders are informed about the status and history of configuration items.
Reference:
"Software Configuration Management Patterns: Effective Teamwork, Practical Integration" by
Stephen P. Berczuk and Brad Appleton
IEEE Standard for Software Configuration Management Plans (IEEE Std 828)
Which of the following problem-solving tools is most appropriate for breaking down ideas into
progressively greater detail?
A
Explanation:
A tree diagram is a tool used to break down broad categories into finer levels of detail. It is
particularly useful for:
Hierarchical Decomposition: Breaking down complex ideas or processes into manageable sub-
components.
Problem Solving: Identifying root causes and exploring solutions systematically.
Project Planning: Defining tasks and sub-tasks in a structured manner.
The tree diagram starts with a single node and branches out into multiple nodes, each representing a
more detailed aspect of the main topic.
Reference:
"The Quality Toolbox" by Nancy R. Tague
"The Memory Jogger II: A Pocket Guide of Tools for Continuous Improvement and Effective Planning"
by Michael Brassard and Diane Ritter
When a software change order is reviewed by the change control board (CCB), it is assigned a status
from which of the following sets of classifications?
B
Explanation:
When a software change order is reviewed by the Change Control Board (CCB), it undergoes a formal
assessment to determine the impact and feasibility of the change. The CCB typically assigns one of
the following statuses:
Approved: The change is accepted and will be implemented.
Disapproved: The change is rejected and will not be implemented.
Deferred: The decision on the change is postponed, often pending further information or
consideration.
These classifications help in managing changes systematically, ensuring only feasible and beneficial
changes are made to the software system.
Reference:
IEEE Standard for Configuration Management in Systems and Software Engineering (IEEE Std 828-
2012)
Software Engineering Body of Knowledge (SWEBOK)
Coverage monitors are used during which of the following types of testing?
B
Explanation:
Coverage monitors are tools used to measure the extent to which the source code of a program is
executed when a particular test suite runs. This is a key aspect of white-box testing, which involves
testing the internal structures or workings of an application, as opposed to its functionality (which is
the focus of black-box testing).
Coverage monitoring helps in identifying parts of the code that are not executed by a set of test
cases, ensuring thorough testing and identifying untested paths.
Reference:
"Software Testing: Principles and Practices" by Naresh Chauhan
"Software Testing Techniques" by Boris Beizer
Which of the following libraries would be most appropriate for a tester to use when experimenting
with different test case designs?
C
Explanation:
The lead auditor acts as the final arbitrator for any audit-related issues that cannot be handled at a
lower level. This individual is responsible for the overall conduct of the audit, ensuring that the audit
is performed according to the plan and that all findings are appropriately addressed and resolved.
The lead auditor has the authority to make final decisions on disputes or issues that arise during the
audit process, ensuring objectivity and adherence to audit standards.
Reference:
ISO 19011: Guidelines for Auditing Management Systems
"Internal Auditing: Assurance & Advisory Services" by Urton L. Anderson, Michael J. Head, et al.
Which of the following roles acts as the final arbitrator for any audit-related issues that cannot be
handled at a lower level?
C
Static analysis tools are used to evaluate
D
Explanation:
Static analysis tools are used to evaluate documentation and source code. These tools analyze the
code without executing it, looking for potential errors, coding standard violations, security
vulnerabilities, and other issues.
By reviewing the source code and associated documentation, static analysis helps in identifying
problems early in the development process, improving code quality and reducing the likelihood of
defects in the final product.
Reference:
"Code Complete: A Practical Handbook of Software Construction" by Steve McConnell
"Static Analysis: Results from the Static Analysis Tool Exposition (SATE) IV" by Paul E. Black, Elizabeth
Fong, et al.
Which of the following corrective actions is the first action to take when a project experiences a
significant deviation on baselined budgets, baselined schedules, or required quality levels?
D
Explanation:
When a project experiences significant deviations from baselined budgets, schedules, or quality
levels, the first corrective action should be to realign project actuals and continue with the plan. This
involves:
Assessing the Deviation: Understanding the root cause and impact of the deviation on the project.
Adjusting the Plan: Making necessary adjustments to realign the project with its original goals.
Updating Stakeholders: Keeping stakeholders informed about the changes and the new plan.
Monitoring Progress: Continuously monitoring the project's progress to ensure it remains on track
after the adjustments.
This approach allows the project to stay aligned with its original objectives while addressing the
issues causing the deviations.
Reference:
PMBOK Guide by Project Management Institute (PMI)
"Project Management: A Systems Approach to Planning, Scheduling, and Controlling" by Harold
Kerzner
A software quality engineer (SQE > is testing software in a system used to monitor critically ill
patients and administer dosages of life-sustaining medicines Tests reveal a flaw that could result in
an unscheduled shutdown under certain circumstances. Ox er the SQE's verbal and written
objections: the director of engineering decides to ship the system. The SQE knows from experience
that "whistle-blowers" in the company have lost their jobs The most appropriate next step for the
SQE would be to
C
Explanation:
In a situation where a software quality engineer (SQE) identifies a critical flaw and the immediate
superior decides to proceed despite the risk, the most appropriate next step is to discuss the issue
with top management. This involves:
Documenting the Issue: Clearly outlining the flaw, its potential impact, and the SQE's objections.
Escalating the Concern: Bringing the issue to the attention of higher management levels who have
the authority to reconsider the decision.
Focusing on Safety: Emphasizing the critical nature of the flaw, especially in a system used for
monitoring critically ill patients.
This step ensures that the concerns are heard at the highest level, potentially preventing a decision
that could endanger lives and the company's reputation.
Reference:
"Software Quality Assurance: Principles and Practice" by Nina S. Godbole
IEEE Code of Ethics
Which of the following activities is classified as data collection and storage?
C
Explanation:
Data collection and storage activities are focused on ensuring that the data is adequate, unique, and
consistent. This involves:
Adequacy: Ensuring that the collected data meets the necessary requirements for its intended use.
Uniqueness: Verifying that the data is not duplicated and is uniquely identifiable.
Consistency: Ensuring that the data is consistent across different datasets and over time.
These activities are critical for maintaining the integrity and reliability of the data, which is essential
for effective data analysis and decision-making.
Reference:
"Data Quality: The Accuracy Dimension" by Jack E. Olson
"Data Management for Researchers" by Kristin Briney
The software configuration management (SCM) planning process includes
D
Explanation:
The software configuration management (SCM) planning process includes defining the specific SCM
roles and responsibilities for the project. This involves:
Role Identification: Identifying all roles related to SCM, such as SCM Manager, SCM Engineer, and
Configuration Librarian.
Responsibility Assignment: Clearly defining the responsibilities associated with each role.
Documentation: Documenting these roles and responsibilities in the SCM plan to ensure clarity and
accountability.
This step is crucial for establishing a clear framework for managing configuration items and changes
throughout the project lifecycle.
Reference:
"Software Configuration Management Patterns: Effective Teamwork, Practical Integration" by
Stephen P. Berczuk and Brad Appleton
IEEE Standard for Software Configuration Management Plans (IEEE Std 828)
Which of the following is a management practice that will provide business continuity?
A
Explanation:
A management practice that will provide business continuity involves creating and documenting a
business continuity plan. This includes:
Risk Assessment: Identifying potential risks and their impact on business operations.
Strategy Development: Developing strategies to mitigate identified risks and ensure continuity of
critical business functions.
Documentation: Documenting the continuity plan, including detailed procedures and guidelines for
response and recovery.
Training and Testing: Training employees on the plan and regularly testing the plan to ensure its
effectiveness.
A well-documented business continuity plan ensures that an organization can maintain or quickly
resume its critical functions during and after a disruption.
Reference:
"Business Continuity and Disaster Recovery Planning for IT Professionals" by Susan Snedaker
ISO 22301:2019, Security and resilience – Business continuity management systems – Requirements