CISA Software Developer


This role develops, creates, maintains, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs.

Personnel performing this work role may unofficially or alternatively be called:

  • Analyst Programmer
  • Computer Programmer
  • Configuration Manager
  • Database Developer/Engineer/Architect
  • Information Assurance (IA) Engineer
  • Information Assurance (IA) Software Developer
  • Information Assurance (IA) Software Engineer
  • Research & Development Engineer
  • Secure Software Engineer
  • Security Engineer
  • Software Developer
  • Software Engineer/Architect
  • Systems Analyst
  • Web Application Developer
  • Database Administrator
  • Server Administrator
  • Cloud Developer
  • Mainframe Developer
  • Full Stack Developer

Category: Securely Provision
Specialty Area: Software Development

 

Core Tasks

  • Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application. (T0009)
  • Analyze user needs and software requirements to determine feasibility of design within time and cost constraints. (T0011)
  • Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews.           (T0013)
  • Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities. (T0553)
  • Apply secure code documentation. (T0014)
  • Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules. (T0022)
  • Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program. (T0026)
  • Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct. (T0436)
  • Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces. (T0034)
  • Consult with engineering staff to evaluate interface between hardware and software. (T0040)
  • Correct errors by making appropriate changes and rechecking the program to ensure desired results are produced. (T0046)
  • Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design. (T0057)
  • Determine and document software patches or the extent of releases that would leave software vulnerable. (T0554)
  • Develop secure code and error handling. (T0077)
  • Develop software system testing and validation procedures, programming, and documentation. (T0455)
  • Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate. (T0416)
  • Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. (T0100)
  • Identify and leverage the enterprise-wide security services while designing and developing secure applications (e.g., Enterprise PKI, Federated Identity server, Enterprise AV solution) when appropriate. (T0417)
  • Identify basic common coding flaws at a high level. (T0111)
  • Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development. (T0117)
  • Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. (T0118)
  • Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance. (T0500)
  • Perform integrated quality assurance testing for security functionality and resiliency attack. (T0171)
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. (T0181)
  • Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities. (T0176)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228)
  • Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. (T0236)

Core Competencies

  • Computer Languages
  • Data Privacy and Protection
  • Identity Management
  • Incident Management
  • Information Assurance
  • Information Systems/Network Security
  • Risk Management
  • Software Development
  • Software Testing and Evaluation
  • System Administration
  • Systems Integration
  • Systems Testing and Evaluation
  • Threat Analysis
  • Vulnerabilities Assessment
  • Web Technology

Core Knowledge, Skills, Abilities (KSAs)

  • Knowledge of computer programming principles (K0016)
  • Knowledge of organization's evaluation and validation requirements. (K0028)
  • Knowledge of cybersecurity and privacy principles and methods that apply to software development. (K0039)
  • Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). (K0044)
  • Knowledge of low-level computer languages (e.g., assembly languages). (K0051)
  • Knowledge of programming language structures and logic. (K0068)
  • Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). (K0070)
  • Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org). (K0073)
  • Knowledge of software debugging principles. (K0079)
  • Knowledge of software design tools, methods, and techniques. (K0080)
  • Knowledge of software development models (e.g., Waterfall Model, Spiral Model). (K0081)
  • Knowledge of software engineering. (K0082)
  • Knowledge of structured analysis principles and methods. (K0084)
  • Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. (K0086)
  • Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language). (K0105)
  • Knowledge of interpreted and compiled computer languages. (K0139)
  • Knowledge of secure coding techniques. (K0140)
  • Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization). (K0152)
  • Knowledge of software quality assurance process. (K0153)
  • Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). (K0179)
  • Knowledge of Personally Identifiable Information (PII) data security standards. (K0260)
  • Knowledge of information technology (IT) risk management policies, requirements, and procedures. (K0263)
  • Knowledge of root cause analysis techniques. (K0343)
  • Skill in conducting software debugging. (S0014)
  • Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams. (S0019)
  • Skill in designing countermeasures to identified security risks. (S0022)
  • Skill in developing and applying security system access controls. (S0031)
  • Skill in developing applications that can log and handle errors, exceptions, and application faults and logging. (S0149)
  • Ability to develop secure software according to secure software deployment methodologies, tools, and practices. (A0047)

How to Apply

To apply for this work role, submit an application to one or more of CISA's vacancy announcements. Please ensure your resume has been updated to reflect your demonstrated experience performing the above tasks and describe your exposure to the listed competencies.

  1. Assign the appropriate Task ID and/or Core KSA ID to each experience statement in your resume. Task and KSA IDs are listed in parenthesis at the end of each bullet above.
     
  2. You must also include demonstrated experience on the four required competencies:
  • Attention to Detail
  • Customer Service
  • Oral Communication
  • Problem Solving

Was this document helpful?  Yes  |  Somewhat  |  No