Attention: CISA Learning is now available for External Users! The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users should wait to access CISA Learning until the system is ready for internal use in the coming days.

DD-WRL-005

Software Security Assessment

Responsible for analyzing the security of new or existing computer applications, software, or specialized utility programs and delivering actionable results.

Task statements

T0311: Consult with customers about software system design and maintenance
T1019: Determine special needs of cyber-physical systems
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1052: Integrate black-box security testing tools into quality assurance processes
T1073: Perform code reviews
T1074: Prepare secure code documentation
T1082: Integrate software cybersecurity objectives into project plans and schedules
T1083: Determine project security controls
T1106: Develop threat models
T1108: Evaluate interfaces between hardware and software
T1190: Determine hardware configuration
T1197: Identify common coding flaws
T1202: Determine software development security implications within centralized and decentralized environments across the enterprise
T1203: Implement software development cybersecurity methodologies within centralized and decentralized environments across the enterprise
T1204: Determine cybersecurity measures for steady state operation and management of software
T1205: Incorporate product end-of-life cybersecurity measures
T1222: Determine security requirements for new information technologies
T1223: Determine security requirements for new operational technologies
T1258: Perform integrated quality assurance testing
T1269: Conduct risk analysis of applications and systems undergoing major changes
T1302: Address security implications in the software acceptance phase
T1309: Analyze system capabilities and requirements
T1318: Integrate security requirements into application design elements
T1319: Document software attack surface elements
T1320: Conduct threat modeling
T1354: Identify system cybersecurity requirements
T1359: Perform penetration testing
T1400: Design and develop secure applications
T1422: Develop software documentation
T1509: Analyze feasibility of software design within time and cost constraints
T1513: Conduct trial runs of programs and software applications
T1528: Develop software system testing and validation procedures
T1529: Create software system documentation
T1590: Identify programming flaws
T1624: Conduct vulnerability analysis of software patches and updates
T1625: Prepare vulnerability analysis reports
T1658: Determine customer requirements
T1913: Identify system security requirements

Knowledge statements

K0068: Knowledge of programming language structures and logic
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0693: Knowledge of complex data structure capabilities and applications
K0695: Knowledge of programming principles and practices
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0711: Knowledge of evaluation and validation principles and practices
K0712: Knowledge of Local Area Networks (LAN)
K0713: Knowledge of Wide Area Networks (WAN)
K0721: Knowledge of risk management principles and practices
K0722: Knowledge of software development principles and practices
K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
K0729: Knowledge of non-repudiation principles and practices
K0730: Knowledge of cyber safety principles and practices
K0734: Knowledge of Risk Management Framework (RMF) requirements
K0735: Knowledge of risk management models and frameworks
K0737: Knowledge of bandwidth management tools and techniques
K0738: Knowledge of low-level programming languages
K0739: Knowledge of mathematics principles and practices
K0744: Knowledge of operating system (OS) systems and software
K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0755: Knowledge of configuration management (CM) tools and techniques
K0757: Knowledge of system design tools and techniques
K0759: Knowledge of client and server architecture
K0762: Knowledge of software debugging principles and practices
K0763: Knowledge of software design tools and techniques
K0764: Knowledge of software development models and frameworks
K0765: Knowledge of software engineering principles and practices
K0767: Knowledge of structured analysis principles and practices
K0768: Knowledge of automated systems analysis tools and techniques
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0782: Knowledge of web service protocols
K0791: Knowledge of defense-in-depth principles and practices
K0803: Knowledge of supply chain risk management principles and practices
K0813: Knowledge of interpreted and compiled programming language characteristics
K0814: Knowledge of secure coding tools and techniques
K0820: Knowledge of supply chain risks
K0826: Knowledge of software security principles and practices
K0827: Knowledge of software quality assurance (SQA) principles and practices
K0828: Knowledge of supply chain risk management standards and best practices
K0839: Knowledge of critical infrastructure systems and software
K0846: Knowledge of secure software deployment principles and practices
K0847: Knowledge of secure software deployment tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0877: Knowledge of application firewall principles and practices
K0878: Knowledge of network firewall principles and practices
K0915: Knowledge of network architecture principles and practices
K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
K0920: Knowledge of risk management policies and procedures
K0948: Knowledge of embedded systems and software
K0955: Knowledge of penetration testing principles and practices
K0956: Knowledge of penetration testing tools and techniques
K0957: Knowledge of root cause analysis tools and techniques
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1079: Knowledge of web application security risks
K1093: Knowledge of black-box software testing
K1099: Knowledge of code analysis tools and techniques
K1117: Knowledge of coding and testing standards
K1118: Knowledge of completion criteria
K1126: Knowledge of cost constraints
K1128: Knowledge of customer requirements
K1137: Knowledge of cybersecurity requirements
K1148: Knowledge of data manipulation principles and practices
K1149: Knowledge of data retrieval principles and practices
K1150: Knowledge of data storage principles and practices
K1157: Knowledge of enterprise-wide version control systems
K1165: Knowledge of independent testing methods
K1205: Knowledge of required reporting formats
K1208: Knowledge of risk acceptance and documentation
K1214: Knowledge of security restrictions
K1215: Knowledge of security testing tools and techniques

Skill statements

S0175: Skill in performing root cause analysis
S0465: Skill in identifying critical infrastructure systems
S0466: Skill in identifying systems designed without security considerations
S0543: Skill in scanning for vulnerabilities
S0544: Skill in recognizing vulnerabilities
S0562: Skill in creating mathematical models
S0563: Skill in creating statistical models
S0569: Skill in designing security controls
S0574: Skill in developing security system controls
S0616: Skill in applying black-box software testing
S0617: Skill in interpreting signatures
S0655: Skill in designing secure test plans
S0657: Skill in implementing Public Key Infrastructure (PKI) encryption
S0658: Skill in implementing digital signatures
S0825: Skill in communicating with engineering staff
S0829: Skill in conducting customer interviews
S0878: Skill in performing risk analysis
S0883: Skill in performing static code analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)