DD-WRL-003

Secure Software Development

Responsible for developing, creating, modifying, and maintaining computer applications, software, or specialized utility programs.

Tasks

T0077: Develop secure code and error handling
T0311: Consult with customers about software system design and maintenance
T1019: Determine special needs of cyber-physical systems
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1067: Recommend development of new applications or modification of existing applications
T1068: Create development plans for new applications or modification of existing applications
T1071: Evaluate software design plan timelines and cost estimates
T1073: Perform code reviews
T1074: Prepare secure code documentation
T1082: Integrate software cybersecurity objectives into project plans and schedules
T1083: Determine project security controls
T1089: Create program documentation during initial development and subsequent revision phases
T1098: Determine system performance requirements
T1099: Design application interfaces
T1108: Evaluate interfaces between hardware and software
T1116: Correct program errors
T1117: Determine if desired program results are produced
T1135: Design and develop software systems
T1190: Determine hardware configuration
T1197: Identify common coding flaws
T1202: Determine software development security implications within centralized and decentralized environments across the enterprise
T1203: Implement software development cybersecurity methodologies within centralized and decentralized environments across the enterprise
T1204: Determine cybersecurity measures for steady state operation and management of software
T1205: Incorporate product end-of-life cybersecurity measures
T1258: Perform integrated quality assurance testing
T1261: Mitigate programming vulnerabilities
T1262: Identify programming code flaws
T1269: Conduct risk analysis of applications and systems undergoing major changes
T1280: Develop workflow charts and diagrams
T1281: Convert workflow charts and diagrams into coded computer language instructions
T1302: Address security implications in the software acceptance phase
T1309: Analyze system capabilities and requirements
T1318: Integrate security requirements into application design elements
T1319: Document software attack surface elements
T1320: Conduct threat modeling
T1360: Design programming language exploitation countermeasures and mitigations
T1400: Design and develop secure applications
T1422: Develop software documentation
T1499: Integrate public key cryptography into applications
T1509: Analyze feasibility of software design within time and cost constraints
T1513: Conduct trial runs of programs and software applications
T1528: Develop software system testing and validation procedures
T1529: Create software system documentation
T1575: Adapt software to new hardware
T1576: Upgrade software interfaces
T1577: Improve software performance
T1624: Conduct vulnerability analysis of software patches and updates
T1625: Prepare vulnerability analysis reports

Knowledges

K0068: Knowledge of programming language structures and logic
K0639: Knowledge of code tailoring tools and techniques
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0693: Knowledge of complex data structure capabilities and applications
K0695: Knowledge of programming principles and practices
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0711: Knowledge of evaluation and validation principles and practices
K0712: Knowledge of Local Area Networks (LAN)
K0713: Knowledge of Wide Area Networks (WAN)
K0721: Knowledge of risk management principles and practices
K0722: Knowledge of software development principles and practices
K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
K0729: Knowledge of non-repudiation principles and practices
K0730: Knowledge of cyber safety principles and practices
K0734: Knowledge of Risk Management Framework (RMF) requirements
K0735: Knowledge of risk management models and frameworks
K0737: Knowledge of bandwidth management tools and techniques
K0738: Knowledge of low-level programming languages
K0739: Knowledge of mathematics principles and practices
K0744: Knowledge of operating system (OS) systems and software
K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0755: Knowledge of configuration management (CM) tools and techniques
K0757: Knowledge of system design tools and techniques
K0759: Knowledge of client and server architecture
K0762: Knowledge of software debugging principles and practices
K0763: Knowledge of software design tools and techniques
K0764: Knowledge of software development models and frameworks
K0765: Knowledge of software engineering principles and practices
K0767: Knowledge of structured analysis principles and practices
K0768: Knowledge of automated systems analysis tools and techniques
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0782: Knowledge of web service protocols
K0791: Knowledge of defense-in-depth principles and practices
K0803: Knowledge of supply chain risk management principles and practices
K0813: Knowledge of interpreted and compiled programming language characteristics
K0814: Knowledge of secure coding tools and techniques
K0820: Knowledge of supply chain risks
K0826: Knowledge of software security principles and practices
K0827: Knowledge of software quality assurance (SQA) principles and practices
K0828: Knowledge of supply chain risk management standards and best practices
K0839: Knowledge of critical infrastructure systems and software
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0877: Knowledge of application firewall principles and practices
K0878: Knowledge of network firewall principles and practices
K0891: Knowledge of the Open Systems Interconnect (OSI) reference model
K0915: Knowledge of network architecture principles and practices
K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
K0920: Knowledge of risk management policies and procedures
K0948: Knowledge of embedded systems and software
K0955: Knowledge of penetration testing principles and practices
K0956: Knowledge of penetration testing tools and techniques
K0957: Knowledge of root cause analysis tools and techniques
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1079: Knowledge of web application security risks
K1099: Knowledge of code analysis tools and techniques
K1117: Knowledge of coding and testing standards
K1118: Knowledge of completion criteria
K1126: Knowledge of cost constraints
K1137: Knowledge of cybersecurity requirements
K1148: Knowledge of data manipulation principles and practices
K1149: Knowledge of data retrieval principles and practices
K1150: Knowledge of data storage principles and practices
K1157: Knowledge of enterprise-wide version control systems
K1165: Knowledge of independent testing methods
K1170: Knowledge of mathematical models
K1203: Knowledge of Public Key Infrastructure (PKI) libraries
K1205: Knowledge of required reporting formats
K1208: Knowledge of risk acceptance and documentation
K1210: Knowledge of secure programming tools and techniques
K1214: Knowledge of security restrictions
K1215: Knowledge of security testing tools and techniques
K1236: Knowledge of user requirements
K1239: Knowledge of certificate management principles and practices

Skills

S0172: Skill in applying secure coding techniques
S0175: Skill in performing root cause analysis
S0382: Skill in tailoring code analysis
S0417: Skill in deploying software securely
S0465: Skill in identifying critical infrastructure systems
S0466: Skill in identifying systems designed without security considerations
S0543: Skill in scanning for vulnerabilities
S0544: Skill in recognizing vulnerabilities
S0560: Skill in debugging software
S0562: Skill in creating mathematical models
S0563: Skill in creating statistical models
S0565: Skill in implementing input validation
S0569: Skill in designing security controls
S0574: Skill in developing security system controls
S0597: Skill in writing code in a currently supported programming language
S0655: Skill in designing secure test plans
S0657: Skill in implementing Public Key Infrastructure (PKI) encryption
S0658: Skill in implementing digital signatures
S0670: Skill in implementing error handling in applications
S0825: Skill in communicating with engineering staff
S0836: Skill in encrypting data
S0878: Skill in performing risk analysis
S0879: Skill in performing scientific analysis
S0883: Skill in performing static code analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)