nerdexam
(ISC)2

CISSP · Question #785

When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?

The correct answer is B. Perform overlapping code reviews by both parties.. When third-party developers are involved, Quality Assurance is best achieved through overlapping code reviews by both parties, ensuring mutual accountability and technical validation of the software being produced.

Submitted by valeria.br· Mar 5, 2026Software Development Security

Question

When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?

Options

  • ARetain intellectual property rights through contractual wording.
  • BPerform overlapping code reviews by both parties.
  • CVerify that the contractors attend development planning meetings.
  • DCreate a separate contractor development environment.

How the community answered

(41 responses)
  • A
    7% (3)
  • B
    80% (33)
  • C
    10% (4)
  • D
    2% (1)

Why each option

When third-party developers are involved, Quality Assurance is best achieved through overlapping code reviews by both parties, ensuring mutual accountability and technical validation of the software being produced.

ARetain intellectual property rights through contractual wording.

Retaining intellectual property rights is a legal and contractual protection measure, not a technical QA process that validates the quality or correctness of the software code.

BPerform overlapping code reviews by both parties.Correct

Overlapping code reviews by both the client and the third-party developer create a collaborative QA process where defects, security vulnerabilities, and deviations from requirements are caught from multiple perspectives. This dual-review approach directly addresses software quality by technically examining the code itself rather than relying on administrative or environmental controls. It also ensures transparency and shared responsibility for the final product's integrity.

CVerify that the contractors attend development planning meetings.

Having contractors attend development planning meetings ensures alignment on requirements and goals, but does not directly verify the quality of the code or software artifacts being produced.

DCreate a separate contractor development environment.

Creating a separate contractor development environment addresses security isolation and access control concerns, but does not constitute a QA mechanism for validating software quality.

Concept tested: Third-party software development quality assurance controls

Source: https://www.nist.gov/publications/software-assurance-reference-dataset

Topics

#third-party development#code review#quality assurance#vendor security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice