88. Portable and removable storage devices should be sanitized to prevent the entry of malicious code to launch:

a. Man-in-the-middle attack

b. Meet-in-the-middle attack

c. Zero-day attack

d. Spoofing attack

88. c. Malicious code is capable of initiating zero-day attacks when portable and removable storage devices are not sanitized. The other three attacks are network-based, not storage device-based. A man-in-the-middle (MitM) attack occurs to take advantage of the store-and-forward mechanism used by insecure networks such as the Internet. A meet-in-the-middle attack occurs when one end of the network is encrypted and the other end is decrypted, and the results are matched in the middle. A spoofing attack is an attempt to gain access to a computer system by posing as an authorized user.

89. Verification is an essential activity in ensuring quality software, and it includes tracing. Which of the following tracing techniques is not often used?

a. Forward tracing

b. Backward tracing

c. Cross tracing

d. Ad hoc tracing

89. c. Traceability is the ease in retracing the complete history of a software component from its current status to its requirements specification. Cross tracing should be used more often because it cuts through the functional boundaries, but it is not performed due to its difficulty in execution. The other three choices are often used due to their ease-of-use.

Forward tracing is incorrect because it focuses on matching inputs to outputs to demonstrate their completeness. Similarly, backward tracing is incorrect because it focuses on matching outputs to inputs to demonstrate their completeness. Ad hoc tracing is incorrect because it involves spot-checking of reconcilement procedures to ensure output totals agree with input totals, less any rejects or spot checking of accuracy of computer calculations such as interest on deposits, late charges, service charges, and past-due loans.

During system development, it is important to verify the backward and forward traceability of the following: (i) user requirements to software requirements, (ii) software requirements to design specifications, (iii) system tests to software requirements, and (iv) acceptance tests to user requirements. Requirements or constraints can also be traced downward and upward due to master-subordinate and predecessor-successor relationships to one another.

90. Which of the following redundant array of independent disks (RAID) data storage systems is used for high-availability systems?

a. RAID3

b. RAID4

c. RAID5

d. RAID6

90. d. RAID6 is used for high-availability systems due to its high tolerance for failure. Each RAID level (i.e., RAID0 to RAID6) provides a different balance between increased data reliability through redundancy and increased input/output performance. For example, in levels from RAID3 to RAID5, a minimum of three disks is required and only one disk provides a fault tolerance mechanism. In the RAID6 level, a minimum of four disks is required and two disks provide fault tolerance mechanisms.

In the single disk fault tolerance mechanism, the failure of that single disk will result in reduced performance of the entire system until the failed disk has been replaced and rebuilt. On the other hand, the double parity (two disks) fault tolerance mechanism gives time to rebuild the array without the data being at risk if a single disk fails before the rebuild is complete. Hence, RAID6 is suitable for high-availability systems due to high fault tolerance mechanisms.

91. Which of the following makes a computer system more reliable?

a. N-version programming

b. Structured programming

c. Defensive programming

d. GOTO-less programming

91. c. Defensive or robust programming has several attributes that makes a computer system more reliable. The major attribute is expected exception domain (i.e., errors and failures); when discovered, it makes the system reliable.

N-version programming is based on design or version diversity, meaning different versions of the software are developed independently with the thinking that these versions are independent in their failure behavior. Structured programming and GOTO-less programming are part of robust programming techniques to make programs more readable and executable.

92. Which of the following is an example of a static quality attribute of a software product?

a. Mean-time-between-failure

b. Simplicity in functions

c. Mean-time-to-repair

d. Resource utilization statistics

92. b. Software quality attributes can be classified as either dynamic or static. Dynamic quality attributes are validated by examining the dynamic behavior of software during its execution. Examples include mean time between failures (MTBF), mean-time-to-repair (MTTR), failure recovery time, and percent of available resources used (i.e., resource utilization statistics).

Static quality attributes are validated by inspecting nonexecuting software products and include modularity, simplicity, and completeness. Simplicity looks for straightforward implementation of functions. It is the characteristic of software that ensures definition and implementation of functions in the most direct and understandable manner.

Reliability models can be used to predict software reliability (for example, MTBF and MTTR) based on the rate of occurrence of defects and errors. There is a trade-off between complexity and security, meaning that complex systems are difficult to secure whereas simple systems are easy to secure.

93. Auditing an information system is not reliable under which of the following situations?

a. When audit records are stored on hardware-enforced, write-once media

b. When the user being audited has privileged access

c. When the audit activity is performed on a separate system

d. When the audit-related privileges are separated from nonaudit privileges

93. b. Auditing an information system is not reliable when performed by the system to which the user being audited has privileged access. This is because the privileged user can inhibit the auditing activity or modify the audit records. The other three choices are control enhancements that reduce the risk of audit compromises by the privileged user.

94. Software quality is based on user needs. Which of the following software quality factors address the user’s need for performance?

a. Integrity and survivability

b. Verifiability and manageability

c. Correctness and interoperability

d. Expandability and flexibility

94. c. Correctness asks, “Does it comply with requirements?” whereas interoperability asks, “Does it interface easily?” Quality factors such as efficiency, correctness, safety, and interoperability are part of the performance need.

Integrity and survivability are incorrect because they are a part of functional need. Integrity asks, “How secure is it?” whereas survivability asks, “Can it survive during a failure?” Quality factors such as integrity, reliability, survivability, and usability are part of the functional need. Verifiability and manageability are incorrect because they are a part of the management need. Verifiability asks, “Is performance verification easy?” whereas manageability asks, “Is the software easily managed?” Expandability and flexibility are incorrect because they are a part of the changes needed. Expandability asks, “How easy is it to expand?” whereas flexibility asks, “How easy is it to change?”