CISA Secure Software Assessor

This role analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Personnel performing this work role may unofficially or alternatively be called:

  • Information Assurance (IA) Software Developer
  • Information Assurance (IA) Software Engineer
  • Security Engineer
  • Secure Software Engineer
  • Application Security Analyst/Engineer
  • Application Security Tester
  • Software Quality / Quality Assurance Engineer
  • Software Assurance Analyst
  • Security Requirements Analyst

Skill Community: Cybersecurity
Category: Securely Provision
Specialty Area: Software Development
Work Role Code: 622


Core Tasks

  • Develop secure software testing and validation procedures. (T0456)
  • Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities. (T0516)
  • Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing. (T0217)
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181)
  • Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews. (T0013)
  • Determine and document software patches or the extent of releases that would leave software vulnerable. (T0554)
  • Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. (T0118)
  • Identify basic common coding flaws at a high level. (T0111)
  • Consult with engineering staff to evaluate interface between hardware and software. (T0040)

Core Competencies

  • Data Privacy
  • Information Assurance
  • Information Systems/Network Security
  • Operating System
  • Risk Management
  • Software Development
  • Software Testing and Evaluation
  • Systems Administration
  • Systems Testing and Evaluation
  • Threat Analysis
  • Vulnerability Assessment

Core Knowledge, Skills, Abilities (KSAs)

  • Knowledge of cybersecurity and privacy principles. (K0004)
  • Knowledge of computer networking concepts and protocols, and network security methodologies. (K0001)
  • Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. (K0003)
  • Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). (K0002)
  • Knowledge of cyber threats and vulnerabilities. (K0005)
  • Knowledge of specific operational impacts of cybersecurity lapses. (K0006)
  • Knowledge of Personally Identifiable Information (PII) data security standards. (K0260)
  • Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
  • Skill in discerning the protection needs (i.e., security controls) of information systems and networks. (S0034)
  • Knowledge of operating systems. (K0060)
  • Knowledge of information technology (IT) risk management policies, requirements, and procedures. (K0263)
  • Knowledge of cybersecurity principles and methods that apply to software development. (K0039)
  • Knowledge of software quality assurance process. (K0153)
  • Knowledge of secure software deployment methodologies, tools, and practices. (K0178)
  • Skill in using code analysis tools. (S0174)
  • Knowledge of secure configuration management techniques. (K0073)
  • Knowledge of organization's evaluation and validation requirements. (K0028)
  • Skill in secure test plan design (e. g. unit, integration, system, acceptance). (S0135)
  • Skill in designing countermeasures to identified security risks. (S0022)
  • Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). (K0070)
  • Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. (S0001)

Join the Mission

CISA is always searching for diverse, talented, and highly motivated professionals to continue its mission of securing the nation’s critical infrastructure. CISA is more than a great place to work; our workforce tackles the risks and threats that matter most to the nation, our families, and communities.

To join this mission, visit USAJOBs and/or the DHS Cybersecurity Service to view job announcements and to access the application. Be sure to tailor your resume to the specific job announcement, attach relevant documents, and complete all required assessments. 

When applying for CISA’s cyber positions, please review CISA’s cyber roles above and update your resume to align your experience with the listed competencies. Your resume must also show demonstrated cyber/IT related experience in:

  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

To receive email notifications when new CISA positions are announced, set up a “saved search” on USAJOBs with keyword “Cybersecurity and Infrastructure Security Agency.”

Individuals eligible for special hiring authorities may also be considered during CISA’s one-stop hiring events or by emailing or

Was this webpage helpful?  Yes  |  Somewhat  |  No