Securely Provision

Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0021: Ability to use and understand complex mathematical concepts (e.g., discrete math).
  • A0123: Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • A0170: Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. 
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0014: Knowledge of complex data structures. 
  • K0016: Knowledge of computer programming principles 
  • K0027: Knowledge of organization's enterprise information security architecture. 
  • K0028: Knowledge of organization's evaluation and validation requirements. 
  • K0039: Knowledge of cybersecurity and privacy principles and methods that apply to software development. 
  • K0044: Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • K0050: Knowledge of local area and wide area networking principles and concepts including bandwidth management. 
  • K0051: Knowledge of low-level computer languages (e.g., assembly languages). 
  • K0060: Knowledge of operating systems.
  • K0066: Knowledge of Privacy Impact Assessments.
  • K0068: Knowledge of programming language structures and logic.
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0073: Knowledge of secure configuration management techniques.
  • K0079: Knowledge of software debugging principles.
  • K0080: Knowledge of software design tools, methods, and techniques.
  • K0081: Knowledge of software development models (e.g., Waterfall Model, Spiral Model).
  • K0082: Knowledge of software engineering.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0086: Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
  • K0105: Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language). 
  • K0139: Knowledge of interpreted and compiled computer languages.
  • K0140: Knowledge of secure coding techniques.
  • K0152: Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).
  • K0153: Knowledge of software quality assurance process.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0170: Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 
  • K0178: Knowledge of secure software deployment methodologies, tools, and practices. 
  • K0179: Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 
  • K0199: Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
  • K0202: Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
  • K0260: Knowledge of Personally Identifiable Information (PII) data security standards. 
  • K0261: Knowledge of Payment Card Industry (PCI) data security standards. 
  • K0262: Knowledge of Personal Health Information (PHI) data security standards. 
  • K0263: Knowledge of information technology (IT) risk management policies, requirements, and procedures. 
  • K0322: Knowledge of embedded systems.
  • K0342: Knowledge of penetration testing principles, tools, and techniques.
  • K0343: Knowledge of root cause analysis techniques.
  • K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
  • S0001: Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • S0022: Skill in designing countermeasures to identified security risks.
  • S0031: Skill in developing and applying security system access controls.
  • S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0083: Skill in integrating black box security testing tools into quality assurance process of software releases.
  • S0135: Skill in secure test plan design (e. g. unit, integration, system, acceptance).
  • S0138: Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
  • S0174: Skill in using code analysis tools.
  • S0175: Skill in performing root cause analysis.
  • S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • T0013: Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews.
  • T0014: Apply secure code documentation.
  • T0022: Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
  • T0038: Develop threat model based on customer interviews and requirements.
  • T0040: Consult with engineering staff to evaluate interface between hardware and software.
  • T0100: Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.
  • T0111: Identify basic common coding flaws at a high level.
  • T0117: Identify security implications and apply methodologies within centralized and decentralized environments across the enterprise's computer systems in software development.
  • T0118: Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.
  • T0171: Perform integrated quality assurance testing for security functionality and resiliency attack.
  • T0181: Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
  • T0217: Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
  • T0228: Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
  • T0236: Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
  • T0266: Perform penetration testing as required for new or updated applications.
  • T0311: Consult with customers about software system design and maintenance.
  • T0324: Direct software programming and development of documentation.
  • T0337: Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel.
  • T0424: Analyze and provide information to stakeholders that will support the development of security application or modification of an existing security application.
  • T0428: Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates.
  • T0436: Conduct trial runs of programs and software applications to ensure that the desired information is produced and instructions and security levels are correct.
  • T0456: Develop secure software testing and validation procedures.
  • T0457: Develop system testing and validation procedures, programming, and documentation.
  • T0516: Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.
  • T0554: Determine and document software patches or the extent of releases that would leave software vulnerable.
  • Capability Indicators for Secure Software Assessor
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing application vulnerabilities and delivery delays, and secure software concepts, requirements, design, implementation/coding, testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, and software acquisition
    • Recommended: Yes (optional)
    • Example Types: N/A
    • Example Topics: Certifications addressing software programming/development, reducing production costs, application vulnerabilities and delivery delays, and secure software concepts, requirements, design, implementation/coding, testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, and software acquisition
    • Recommended: Yes (optional)
    • Example Topics: Certifications addressing software programming/development, reducing production costs, application vulnerabilities and delivery delays, and secure software concepts, requirements, design, implementation/coding, testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, software acquisition, and mastery of code analysis tools
    Continuous Learning
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    Education
    • Recommended: Yes
    • Example Types: Associate's (optional)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's (optional)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's, Master's, Ph.D. (optional)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    Experiential Learning
    • Recommended: Yes
    • Examples: 2+ years apprenticeship assessing software security
    • Recommended: Yes
    • Examples: 3+ years apprenticeship assessing software security
    • Recommended: Yes
    • Examples: 5+ years apprenticeship assessing software security
    Training
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Software programming
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Software programming
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Software programming
  • A0007: Ability to tailor code analysis for application-specific concerns.
  • A0021: Ability to use and understand complex mathematical concepts (e.g., discrete math).
  • A0047: Ability to develop secure software according to secure software deployment methodologies, tools, and practices.
  • A0123: Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • A0170: Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. 
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0014: Knowledge of complex data structures. 
  • K0016: Knowledge of computer programming principles 
  • K0027: Knowledge of organization's enterprise information security architecture. 
  • K0028: Knowledge of organization's evaluation and validation requirements. 
  • K0039: Knowledge of cybersecurity and privacy principles and methods that apply to software development. 
  • K0044: Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • K0050: Knowledge of local area and wide area networking principles and concepts including bandwidth management. 
  • K0051: Knowledge of low-level computer languages (e.g., assembly languages). 
  • K0060: Knowledge of operating systems.
  • K0066: Knowledge of Privacy Impact Assessments.
  • K0068: Knowledge of programming language structures and logic.
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0073: Knowledge of secure configuration management techniques.
  • K0079: Knowledge of software debugging principles.
  • K0080: Knowledge of software design tools, methods, and techniques.
  • K0081: Knowledge of software development models (e.g., Waterfall Model, Spiral Model).
  • K0082: Knowledge of software engineering.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0086: Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
  • K0105: Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language). 
  • K0139: Knowledge of interpreted and compiled computer languages.
  • K0140: Knowledge of secure coding techniques.
  • K0152: Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).
  • K0153: Knowledge of software quality assurance process.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0170: Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 
  • K0179: Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 
  • K0199: Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
  • K0202: Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
  • K0260: Knowledge of Personally Identifiable Information (PII) data security standards. 
  • K0261: Knowledge of Payment Card Industry (PCI) data security standards. 
  • K0262: Knowledge of Personal Health Information (PHI) data security standards. 
  • K0263: Knowledge of information technology (IT) risk management policies, requirements, and procedures. 
  • K0322: Knowledge of embedded systems.
  • K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
  • K0342: Knowledge of penetration testing principles, tools, and techniques.
  • K0343: Knowledge of root cause analysis techniques.
  • K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
  • S0001: Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • S0014: Skill in conducting software debugging.
  • S0017: Skill in creating and utilizing mathematical or statistical models.
  • S0019: Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.
  • S0022: Skill in designing countermeasures to identified security risks.
  • S0031: Skill in developing and applying security system access controls.
  • S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
  • S0060: Skill in writing code in a currently supported programming language (e.g., Java, C++).
  • S0135: Skill in secure test plan design (e. g. unit, integration, system, acceptance).
  • S0138: Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
  • S0149: Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.
  • S0174: Skill in using code analysis tools.
  • S0175: Skill in performing root cause analysis.
  • S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 
  • T0009: Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.
  • T0011: Analyze user needs and software requirements to determine feasibility of design within time and cost constraints.
  • T0013: Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews.
  • T0014: Apply secure code documentation.
  • T0022: Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.
  • T0026: Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program.
  • T0034: Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.
  • T0040: Consult with engineering staff to evaluate interface between hardware and software.
  • T0046: Correct errors by making appropriate changes and rechecking the program to ensure that desired results are produced.
  • T0057: Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design.
  • T0077: Develop secure code and error handling.
  • T0100: Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.
  • T0111: Identify basic common coding flaws at a high level.
  • T0117: Identify security implications and apply methodologies within centralized and decentralized environments across the enterprise's computer systems in software development.
  • T0118: Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.
  • T0171: Perform integrated quality assurance testing for security functionality and resiliency attack.
  • T0176: Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities.
  • T0181: Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
  • T0189: Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language.
  • T0217: Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.
  • T0228: Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
  • T0236: Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
  • T0267: Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.
  • T0303: Identify and leverage the enterprise-wide version control system while designing and developing secure applications.
  • T0311: Consult with customers about software system design and maintenance.
  • T0324: Direct software programming and development of documentation.
  • T0337: Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel.
  • T0416: Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate.
  • T0417: Identify and leverage the enterprise-wide security services while designing and developing secure applications (e.g., Enterprise PKI, Federated Identity server, Enterprise Antivirus solution) when appropriate.
  • T0436: Conduct trial runs of programs and software applications to ensure that the desired information is produced and instructions and security levels are correct.
  • T0455: Develop software system testing and validation procedures, programming, and documentation.
  • T0500: Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance.
  • T0553: Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities.
  • T0554: Determine and document software patches or the extent of releases that would leave software vulnerable.
  • Capability Indicators for Software Developer
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing reducing production costs, application vulnerabilities and delivery delays, secure software concepts, requirements, design, implementation/coding, security testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, and software acquisition
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications addressing reducing production costs, application vulnerabilities and delivery delays, secure software concepts, requirements, design, implementation/coding, security testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, and software acquisition
    • Recommended: Yes
    • Example Topics: Certifications addressing reducing production costs, application vulnerabilities and delivery delays, secure software concepts, requirements, design, implementation/coding, security testing, software acceptance, software deployment, operations, maintenance, disposal supply chain, and software acquisition
    Continuous Learning
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    Education
    • Recommended: Yes
    • Example Types: Associate's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's, Master's, Ph.D.
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, and computer engineering
    Experiential Learning
    • Recommended: Yes
    • Examples: Supervised on-the-job training in software development
    • Recommended: Yes
    • Examples: Supervised on-the-job training in software development
    • Recommended: Yes
    • Examples: Supervised on-the-job training in software development
    Training
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A