Secure Software Assessor

Work Role ID: 622 | Workforce Element: Cybersecurity

What does this work role do? Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

CORE KSATs

KSAT ID	Description	KSAT
22	* Knowledge of computer networking concepts and protocols, and network security methodologies.	Knowledge
40	Knowledge of organization’s evaluation and validation requirements.	Knowledge
56	Knowledge of cybersecurity principles and methods that apply to software development.	Knowledge
63	Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	Knowledge
90	Knowledge of operating systems.	Knowledge
105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	Knowledge
108	* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	Knowledge
109	Knowledge of secure configuration management techniques.	Knowledge
177	Skill in designing countermeasures to identified security risks.	Skill
197	Skill in discerning the protection needs (i.e., security controls) of information systems and networks.	Skill
417	Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.	Task
432	Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.	Task
467	Consult with engineering staff to evaluate interface between hardware and software.	Task
515B	Develop secure software testing and validation procedures.	Task
634	Identify basic common coding flaws at a high level.	Task
645	Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.	Task
764A	Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.	Task
770	Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.	Task
826	Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.	Task
865	Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.	Task
972A	Determine and document software patches or the extent of releases that would leave software vulnerable.	Task
973A	Skill in using code analysis tools.	Skill
976	Knowledge of software quality assurance process.	Knowledge
1020A	Skill in secure test plan design (e. g. unit, integration, system, acceptance).	Skill
1034A	Knowledge of Personally Identifiable Information (PII) data security standards.	Knowledge
1037A	Knowledge of information technology (IT) risk management policies, requirements, and procedures.	Knowledge
1071	Knowledge of secure software deployment methodologies, tools, and practices.	Knowledge
1157	* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.	Knowledge
1158	* Knowledge of cybersecurity principles.	Knowledge
1159	* Knowledge of cyber threats and vulnerabilities.	Knowledge
6900	* Knowledge of specific operational impacts of cybersecurity lapses.	Knowledge
6935	* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).	Knowledge
6938	* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.	Knowledge

ADDITIONAL KSATs

KSAT ID	Description	KSAT
3B	Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.	Skill
20	Knowledge of complex data structures.	Knowledge
23	Knowledge of computer programming principles such as object-oriented design.	Knowledge
38	Knowledge of organization’s enterprise information security architecture system.	Knowledge
43A	Knowledge of embedded systems.	Knowledge
72	Knowledge of local area and wide area networking principles and concepts including bandwidth management.	Knowledge
74	Knowledge of low-level computer languages (e.g., assembly languages).	Knowledge
81A	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.	Knowledge
95A	Knowledge of penetration testing principles, tools, and techniques.	Knowledge
100	Knowledge of Privacy Impact Assessments.	Knowledge
102	Knowledge of programming language structures and logic.	Knowledge
116	Knowledge of software debugging principles.	Knowledge
117	Knowledge of software design tools, methods, and techniques.	Knowledge
118	Knowledge of software development models (e.g., Waterfall Model, Spiral Model).	Knowledge
119	Knowledge of software engineering.	Knowledge
121	Knowledge of structured analysis principles and methods.	Knowledge
124	Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.	Knowledge
149	Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.	Knowledge
168	Skill in conducting software debugging.	Skill
191	Skill in developing and applying security system access controls.	Skill
408A	Analyze and provide information to stakeholders that will support the development of security a application or modification of an existing security application.	Task
414A	Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates.	Task
418	Apply secure code documentation.	Task
459A	Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.	Task
465	Develop threat model based on customer interviews and requirements.	Task
515C	Develop system testing and validation procedures, programming, and documentation.	Task
602	Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.	Task
644	Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.	Task
710	Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.	Task
756	Perform integrated quality assurance testing for security functionality and resiliency attack.	Task
850	Store, retrieve, and manipulate data for analysis of system capabilities and requirements.	Task
904	Knowledge of interpreted and compiled computer languages.	Knowledge
905	Knowledge of secure coding techniques.	Knowledge
936	Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).	Task
968	Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).	Knowledge
969	Perform penetration testing as required for new or updated applications.	Task
975	Skill in integrating black box security testing tools into quality assurance process of software releases.	Skill
978A	Knowledge of root cause analysis techniques.	Knowledge
979	Knowledge of supply chain risk management standards, processes, and practices.	Knowledge
980A	Skill in performing root cause analysis.	Skill
1034B	Knowledge of Payment Card Industry (PCI) data security standards.	Knowledge
1034C	Knowledge of Personal Health Information (PHI) data security standards.	Knowledge
1038B	Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).	Knowledge
1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	Knowledge
1131	Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).	Knowledge
1135	Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).	Knowledge
1140A	Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).	Skill
2156	Consult with customers about software system design and maintenance.	Task
2335	Direct software programming and development of documentation.	Task
2839	Supervise and assign work to programmers, designers, technologists and technicians and other engineering and scientific personnel.	Task
3080	Ability to use and understand complex mathematical concepts (e.g., discrete math).	Ability
6932	Knowledge of mobile device (Android/iOS) development structures, principles, platforms, containers, languages, and the specific vulnerabilities associated with mobile device development.	Knowledge
6944	Skill in implementing defensive programming techniques.	Skill