Design and Development
DD-WRL-003
Secure Software Development
Responsible for developing, creating, modifying, and maintaining computer applications, software, or specialized utility programs.
- T0077: Develop secure code and error handling
- T0311: Consult with customers about software system design and maintenance
- T1019: Determine special needs of cyber-physical systems
- T1020: Determine the operational and safety impacts of cybersecurity lapses
- T1067: Recommend development of new applications or modification of existing applications
- T1068: Create development plans for new applications or modification of existing applications
- T1071: Evaluate software design plan timelines and cost estimates
- T1073: Perform code reviews
- T1074: Prepare secure code documentation
- T1082: Integrate software cybersecurity objectives into project plans and schedules
- T1083: Determine project security controls
- T1089: Create program documentation during initial development and subsequent revision phases
- T1098: Determine system performance requirements
- T1099: Design application interfaces
- T1108: Evaluate interfaces between hardware and software
- T1116: Correct program errors
- T1117: Determine if desired program results are produced
- T1135: Design and develop software systems
- T1190: Determine hardware configuration
- T1197: Identify common coding flaws
- T1202: Determine software development security implications within centralized and decentralized environments across the enterprise
- T1203: Implement software development cybersecurity methodologies within centralized and decentralized environments across the enterprise
- T1204: Determine cybersecurity measures for steady state operation and management of software
- T1205: Incorporate product end-of-life cybersecurity measures
- T1258: Perform integrated quality assurance testing
- T1261: Mitigate programming vulnerabilities
- T1262: Identify programming code flaws
- T1269: Conduct risk analysis of applications and systems undergoing major changes
- T1280: Develop workflow charts and diagrams
- T1281: Convert workflow charts and diagrams into coded computer language instructions
- T1302: Address security implications in the software acceptance phase
- T1309: Analyze system capabilities and requirements
- T1318: Integrate security requirements into application design elements
- T1319: Document software attack surface elements
- T1320: Conduct threat modeling
- T1360: Design programming language exploitation countermeasures and mitigations
- T1400: Design and develop secure applications
- T1422: Develop software documentation
- T1499: Integrate public key cryptography into applications
- T1509: Analyze feasibility of software design within time and cost constraints
- T1513: Conduct trial runs of programs and software applications
- T1528: Develop software system testing and validation procedures
- T1529: Create software system documentation
- T1575: Adapt software to new hardware
- T1576: Upgrade software interfaces
- T1577: Improve software performance
- T1624: Conduct vulnerability analysis of software patches and updates
- T1625: Prepare vulnerability analysis reports
- K0068: Knowledge of programming language structures and logic
- K0639: Knowledge of code tailoring tools and techniques
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0693: Knowledge of complex data structure capabilities and applications
- K0695: Knowledge of programming principles and practices
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0711: Knowledge of evaluation and validation principles and practices
- K0712: Knowledge of Local Area Networks (LAN)
- K0713: Knowledge of Wide Area Networks (WAN)
- K0721: Knowledge of risk management principles and practices
- K0722: Knowledge of software development principles and practices
- K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
- K0729: Knowledge of non-repudiation principles and practices
- K0730: Knowledge of cyber safety principles and practices
- K0734: Knowledge of Risk Management Framework (RMF) requirements
- K0735: Knowledge of risk management models and frameworks
- K0737: Knowledge of bandwidth management tools and techniques
- K0738: Knowledge of low-level programming languages
- K0739: Knowledge of mathematics principles and practices
- K0744: Knowledge of operating system (OS) systems and software
- K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0755: Knowledge of configuration management (CM) tools and techniques
- K0757: Knowledge of system design tools and techniques
- K0759: Knowledge of client and server architecture
- K0762: Knowledge of software debugging principles and practices
- K0763: Knowledge of software design tools and techniques
- K0764: Knowledge of software development models and frameworks
- K0765: Knowledge of software engineering principles and practices
- K0767: Knowledge of structured analysis principles and practices
- K0768: Knowledge of automated systems analysis tools and techniques
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0782: Knowledge of web service protocols
- K0791: Knowledge of defense-in-depth principles and practices
- K0803: Knowledge of supply chain risk management principles and practices
- K0813: Knowledge of interpreted and compiled programming language characteristics
- K0814: Knowledge of secure coding tools and techniques
- K0820: Knowledge of supply chain risks
- K0826: Knowledge of software security principles and practices
- K0827: Knowledge of software quality assurance (SQA) principles and practices
- K0828: Knowledge of supply chain risk management standards and best practices
- K0839: Knowledge of critical infrastructure systems and software
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0877: Knowledge of application firewall principles and practices
- K0878: Knowledge of network firewall principles and practices
- K0891: Knowledge of the Open Systems Interconnect (OSI) reference model
- K0915: Knowledge of network architecture principles and practices
- K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
- K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
- K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
- K0920: Knowledge of risk management policies and procedures
- K0948: Knowledge of embedded systems and software
- K0955: Knowledge of penetration testing principles and practices
- K0956: Knowledge of penetration testing tools and techniques
- K0957: Knowledge of root cause analysis tools and techniques
- K0983: Knowledge of computer networking principles and practices
- K1014: Knowledge of network security principles and practices
- K1079: Knowledge of web application security risks
- K1099: Knowledge of code analysis tools and techniques
- K1117: Knowledge of coding and testing standards
- K1118: Knowledge of completion criteria
- K1126: Knowledge of cost constraints
- K1137: Knowledge of cybersecurity requirements
- K1148: Knowledge of data manipulation principles and practices
- K1149: Knowledge of data retrieval principles and practices
- K1150: Knowledge of data storage principles and practices
- K1157: Knowledge of enterprise-wide version control systems
- K1165: Knowledge of independent testing methods
- K1170: Knowledge of mathematical models
- K1203: Knowledge of Public Key Infrastructure (PKI) libraries
- K1205: Knowledge of required reporting formats
- K1208: Knowledge of risk acceptance and documentation
- K1210: Knowledge of secure programming tools and techniques
- K1214: Knowledge of security restrictions
- K1215: Knowledge of security testing tools and techniques
- K1236: Knowledge of user requirements
- K1239: Knowledge of certificate management principles and practices
- S0172: Skill in applying secure coding techniques
- S0175: Skill in performing root cause analysis
- S0382: Skill in tailoring code analysis
- S0417: Skill in deploying software securely
- S0465: Skill in identifying critical infrastructure systems
- S0466: Skill in identifying systems designed without security considerations
- S0543: Skill in scanning for vulnerabilities
- S0544: Skill in recognizing vulnerabilities
- S0560: Skill in debugging software
- S0562: Skill in creating mathematical models
- S0563: Skill in creating statistical models
- S0565: Skill in implementing input validation
- S0569: Skill in designing security controls
- S0574: Skill in developing security system controls
- S0597: Skill in writing code in a currently supported programming language
- S0655: Skill in designing secure test plans
- S0657: Skill in implementing Public Key Infrastructure (PKI) encryption
- S0658: Skill in implementing digital signatures
- S0670: Skill in implementing error handling in applications
- S0825: Skill in communicating with engineering staff
- S0836: Skill in encrypting data
- S0878: Skill in performing risk analysis
- S0879: Skill in performing scientific analysis
- S0883: Skill in performing static code analysis
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)