Secure Software Assessor

Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T2156 additional Consult with customers about software system design and maintenance.
• T2335 additional Direct software programming and development of documentation.
• T2839 additional Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel.
• T408A additional Analyze and provide information to stakeholders that will support the development of security a application or modification of an existing security application.
• T414A additional Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates.
• T417 additional Apply coding and testing standards, apply security testing tools including "fuzzing" static-analysis code scanning tools, and conduct code reviews.
• T418 additional Apply secure code documentation.
• T432 additional Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
• T459A additional Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.
• T465 additional Develop threat model based on customer interviews and requirements.
• T467 additional Consult with engineering staff to evaluate interface between hardware and software.
• T515B additional Develop secure software testing and validation procedures.
• T515C additional Develop system testing and validation procedures, programming, and documentation.
• T602 additional Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.
• T634 additional Identify basic common coding flaws at a high level.
• T644 additional Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.
• T645 additional Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.
• T710 additional Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements.
• T756 additional Perform integrated quality assurance testing for security functionality and resiliency attack.
• T764A additional Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.
• T770 additional Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
• T826 additional Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
• T850 additional Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
• T865 additional Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
• T936 additional Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
• T969 additional Perform penetration testing as required for new or updated applications.
• T972A additional Determine and document software patches or the extent of releases that would leave software vulnerable.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0040 knowledge core Knowledge of organization's evaluation and validation requirements.
• K0056 knowledge core Knowledge of cybersecurity principles and methods that apply to software development.
• K0063 knowledge core Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0090 knowledge core Knowledge of operating systems.
• K0105 knowledge core Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0109 knowledge core Knowledge of secure configuration management techniques.
• K0976 knowledge core Knowledge of software quality assurance process.
• K1034A knowledge core Knowledge of Personally Identifiable Information (PII) data security standards.
• K1037A knowledge core Knowledge of information technology (IT) risk management policies, requirements, and procedures.
• K1071 knowledge core Knowledge of secure software deployment methodologies, tools, and practices.
• S1020A skill core Skill in secure test plan design (e. g. unit, integration, system, acceptance).
• S177 skill core Skill in designing countermeasures to identified security risks.
• S197 skill core Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
• S3B skill core Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
• S973A skill core Skill in using code analysis tools.
• A3080 ability additional Ability to use and understand complex mathematical concepts (e.g., discrete math).
• K0020 knowledge additional Knowledge of complex data structures.
• K0023 knowledge additional Knowledge of computer programming principles such as object-oriented design.
• K0038 knowledge additional Knowledge of organization's enterprise information security architecture system.
• K0072 knowledge additional Knowledge of local area and wide area networking principles and concepts including bandwidth management.
• K0074 knowledge additional Knowledge of low-level computer languages (e.g., assembly languages).
• K0100 knowledge additional Knowledge of Privacy Impact Assessments.
• K0102 knowledge additional Knowledge of programming language structures and logic.
• K0116 knowledge additional Knowledge of software debugging principles.
• K0117 knowledge additional Knowledge of software design tools, methods, and techniques.
• K0118 knowledge additional Knowledge of software development models (e.g., Waterfall Model, Spiral Model).
• K0119 knowledge additional Knowledge of software engineering.
• K0121 knowledge additional Knowledge of structured analysis principles and methods.
• K0124 knowledge additional Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
• K0149 knowledge additional Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.
• K043A knowledge additional Knowledge of embedded systems.
• K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K0904 knowledge additional Knowledge of interpreted and compiled computer languages.
• K0905 knowledge additional Knowledge of secure coding techniques.
• K095A knowledge additional Knowledge of penetration testing principles, tools, and techniques.
• K0968 knowledge additional Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).
• K0979 knowledge additional Knowledge of supply chain risk management standards, processes, and practices.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1038B knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).
• K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1131 knowledge additional Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).
• K1135 knowledge additional Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
• K6932 knowledge additional Knowledge of mobile device (Android/iOS) development structures, principles, platforms, containers, languages, and the specific vulnerabilities associated with mobile device development.
• K978A knowledge additional Knowledge of root cause analysis techniques.
• S1140A skill additional Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
• S168 skill additional Skill in conducting software debugging.
• S191 skill additional Skill in developing and applying security system access controls.
• S6944 skill additional Skill in implementing defensive programming techniques.
• S975 skill additional Skill in integrating black box security testing tools into quality assurance process of software releases.
• S980A skill additional Skill in performing root cause analysis.

EWU courses that develop this role

NCAE CyberGames scoreboard errors for this role

• NCAE-5c25d301a6 WWW SSL / failure: Failed to connect to host
• NCAE-53a9f9da43 WWW Port 80 / failure: Failed to connect to server, is port 80 open?
• NCAE-3de767b21e WWW Content / failure: Failed to connect to host
• NCAE-b68a8a7bdc WWW Content / timeout: Timeout
• NCAE-6773086ba2 WWW Content / failure: Website cannot be reached
• NCAE-ff23c10a65 WWW SSL / timeout: Timeout
• NCAE-72b4452011 WWW Content / failure: admin was unable to login
• NCAE-14d2aca40b WWW SSL / failure: [SSL] record layer failure (_ssl.c:1010)
• NCAE-ea7df50c18 WWW Content / failure: [SSL] record layer failure (_ssl.c:1010)
• NCAE-8bce253742 WWW SSL / failure: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] ssl/tls alert handshake failure (_ssl.c:1010)
• NCAE-4312daca49 WWW Content / failure: Failed to detect correct content
• NCAE-989ad067ad WWW SSL / failure: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1010)
• NCAE-a86494638e WWW SSL / failure: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1010)
• NCAE-47f7f710d6 WWW SSL / failure: admin was unable to login
• NCAE-dccbbf4ea4 WWW Content / failure: admin was not able to request the login page
• NCAE-0526b23021 WWW Port 80 / failure: HTTP not found
• NCAE-bd3138c27b WWW SSL / partial: admin was not able to create the student user student_27044152-07a8-49f0-9b14-9d6db3824c91
• NCAE-2345002150 WWW SSL / partial: admin was not able to create the student user student_29fd905b-e6d2-4c85-a8d0-e0ae7029c47f

Other roles in this element