Software Engineering (SE) DD-WRL-003 DCWF 621

Software Developer

Executes software planning, requirements, risk management, design, development, architecture, modeling, estimation, configuration management, quality, security, and tests using software development methodologies, architectural structures, viewpoints, styles, design decisions, and frameworks across all lifecycle phases.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

T1149A additional Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate.
T1150A additional Identify and leverage the enterprise-wide security services while designing and developing secure applications (e.g., Enterprise PKI, Federated Identity server, Enterprise AV solution) when appropriate.
T1151 additional Identify and leverage the enterprise-wide version control system while designing and developing secure applications.
T2156 additional Consult with customers about software system design and maintenance.
T2335 additional Direct software programming and development of documentation.
T2839 additional Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel.
T408 additional Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.
T414 additional Analyze user needs and software requirements to determine feasibility of design within time and cost constraints.
T417 additional Apply coding and testing standards, apply security testing tools including "fuzzing" static-analysis code scanning tools, and conduct code reviews.
T418 additional Apply secure code documentation.
T432 additional Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
T446 additional Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program.
T459A additional Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.
T461 additional Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.
T467 additional Consult with engineering staff to evaluate interface between hardware and software.
T477 additional Correct errors by making appropriate changes and rechecking the program to ensure desired results are produced.
T506 additional Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design.
T515A additional Develop software system testing and validation procedures, programming, and documentation.
T5200 additional Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.
T543 additional Develop secure code and error handling.
T602 additional Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.
T634 additional Identify basic common coding flaws at a high level.
T644 additional Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.
T645 additional Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.
T709A additional Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance.
T726 additional Oversee and make recommendations regarding configuration management.
T756 additional Perform integrated quality assurance testing for security functionality and resiliency attack.
T764 additional Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities.
T770 additional Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
T785 additional Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language.
T826 additional Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
T850 additional Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
T865 additional Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
T970A additional Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities.
T971 additional Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.
T972A additional Determine and document software patches or the extent of releases that would leave software vulnerable.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

A1071A ability core Ability to develop secure software according to secure software deployment methodologies, tools, and practices.
K0020 knowledge core Knowledge of complex data structures.
K0023 knowledge core Knowledge of computer programming principles such as object-oriented design.
K0056 knowledge core Knowledge of cybersecurity principles and methods that apply to software development.
K0090 knowledge core Knowledge of operating systems.
K0102 knowledge core Knowledge of programming language structures and logic.
K0105 knowledge core Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0116 knowledge core Knowledge of software debugging principles.
K0117 knowledge core Knowledge of software design tools, methods, and techniques.
K0119 knowledge core Knowledge of software engineering.
K0121 knowledge core Knowledge of structured analysis principles and methods.
K0124 knowledge core Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
K0149 knowledge core Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.
K0905 knowledge core Knowledge of secure coding techniques.
K0968 knowledge core Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).
K118A knowledge core Knowledge of software development models, methodologies, and practices (Waterfall Model, Spiral, Agile, DevSecOps).
K191A knowledge core Knowledge of development and application of security system access controls.
K904A knowledge core Knowledge of interpreted and compiled computer languages.
S168 skill core Skill in conducting software debugging.
S174 skill core Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.
S185A skill core Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.
S238A skill core Skill in writing code in a currently supported programming language (e.g., Java, C++).
S905A skill core Skill in applying secure coding techniques.
S973A skill core Skill in using code analysis tools.
A3080 ability additional Ability to use and understand complex mathematical concepts (e.g., discrete math).
A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
A6919 ability additional Ability to determine the best cloud deployment model for the appropriate operating environment.
K0038 knowledge additional Knowledge of organization's enterprise information security architecture system.
K0040 knowledge additional Knowledge of organization's evaluation and validation requirements.
K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0072 knowledge additional Knowledge of local area and wide area networking principles and concepts including bandwidth management.
K0074 knowledge additional Knowledge of low-level computer languages (e.g., assembly languages).
K0100 knowledge additional Knowledge of Privacy Impact Assessments.
K0109 knowledge additional Knowledge of secure configuration management techniques.
K043A knowledge additional Knowledge of embedded systems.
K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K095B knowledge additional Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).
K0976 knowledge additional Knowledge of software quality assurance process.
K0979 knowledge additional Knowledge of supply chain risk management standards, processes, and practices.
K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
K1037A knowledge additional Knowledge of information technology (IT) risk management policies, requirements, and procedures.
K1038B knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).
K1072 knowledge additional Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
K1131 knowledge additional Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).
K1135 knowledge additional Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
K7097 knowledge additional Knowledge of planning for long-term maintainability using architectural structures, viewpoints, styles, design decisions and frameworks, and the underlying data structures.
K978A knowledge additional Knowledge of root cause analysis techniques.
S1020A skill additional Skill in secure test plan design (e. g. unit, integration, system, acceptance).
S1140A skill additional Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
S172 skill additional Skill in creating and utilizing mathematical or statistical models.
S177 skill additional Skill in designing countermeasures to identified security risks.
S197 skill additional Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
S3822A skill additional Skill in managing user relationships, including determining user needs/requirements, managing user expectations, and demonstrating commitment to delivering quality results.
S3B skill additional Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
S6942 skill additional Skill in designing or implementing cloud computing deployment models.
S6945 skill additional Skill in migrating workloads to, from, and among the different cloud computing service models.
S980A skill additional Skill in performing root cause analysis.