CISA Secure Software Assessor

This role analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Personnel performing this work role may unofficially or alternatively be called:

  • Information Assurance (IA) Software Developer
  • Information Assurance (IA) Software Engineer
  • Security Engineer
  • Secure Software Engineer
  • Application Security Analyst/Engineer
  • Application Security Tester
  • Software Quality / Quality Assurance Engineer
  • Software Assurance Analyst
  • Security Requirements Analyst

Category: Securely Provision
Specialty Area: Software Development

 

Core Tasks

  • Develop secure software testing and validation procedures. (T0456)
  • Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities. (T0516)
  • Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing. (T0217)
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181)
  • Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews. (T0013)
  • Determine and document software patches or the extent of releases that would leave software vulnerable. (T0554)
  • Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. (T0118)
  • Identify basic common coding flaws at a high level. (T0111)
  • Consult with engineering staff to evaluate interface between hardware and software. (T0040)

Core Competencies

  • Data Privacy
  • Information Assurance
  • Information Systems/Network Security
  • Operating System
  • Risk Management
  • Software Development
  • Software Testing and Evaluation
  • Systems Administration
  • Systems Testing and Evaluation
  • Threat Analysis
  • Vulnerability Assessment

Core Knowledge, Skills, Abilities (KSAs)

  • Knowledge of cybersecurity and privacy principles. (K0004)
  • Knowledge of computer networking concepts and protocols, and network security methodologies. (K0001)
  • Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. (K0003)
  • Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). (K0002)
  • Knowledge of cyber threats and vulnerabilities. (K0005)
  • Knowledge of specific operational impacts of cybersecurity lapses. (K0006)
  • Knowledge of Personally Identifiable Information (PII) data security standards. (K0260)
  • Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
  • Skill in discerning the protection needs (i.e., security controls) of information systems and networks. (S0034)
  • Knowledge of operating systems. (K0060)
  • Knowledge of information technology (IT) risk management policies, requirements, and procedures. (K0263)
  • Knowledge of cybersecurity principles and methods that apply to software development. (K0039)
  • Knowledge of software quality assurance process. (K0153)
  • Knowledge of secure software deployment methodologies, tools, and practices. (K0178)
  • Skill in using code analysis tools. (S0174)
  • Knowledge of secure configuration management techniques. (K0073)
  • Knowledge of organization's evaluation and validation requirements. (K0028)
  • Skill in secure test plan design (e. g. unit, integration, system, acceptance). (S0135)
  • Skill in designing countermeasures to identified security risks. (S0022)
  • Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). (K0070)
  • Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. (S0001)

How to Apply

To apply for this work role, submit an application to one or more of CISA's vacancy announcements. Please ensure your resume has been updated to reflect your demonstrated experience performing the above tasks and describes your exposure to the listed competencies.

  1. Assign the appropriate Task ID and/or Core KSA ID to each experience statement in your resume. Task and KSA IDs are listed in parenthesis at the end of each bullet above.
     
  2. You must also include demonstrated experience on the four required competencies:
  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

Was this document helpful?  Yes  |  Somewhat  |  No