Design and Development
DD-WRL-005
Software Security Assessment
Responsible for analyzing the security of new or existing computer applications, software, or specialized utility programs and delivering actionable results.
- T0311: Consult with customers about software system design and maintenance
- T1019: Determine special needs of cyber-physical systems
- T1020: Determine the operational and safety impacts of cybersecurity lapses
- T1052: Integrate black-box security testing tools into quality assurance processes
- T1073: Perform code reviews
- T1074: Prepare secure code documentation
- T1082: Integrate software cybersecurity objectives into project plans and schedules
- T1083: Determine project security controls
- T1106: Develop threat models
- T1108: Evaluate interfaces between hardware and software
- T1190: Determine hardware configuration
- T1197: Identify common coding flaws
- T1202: Determine software development security implications within centralized and decentralized environments across the enterprise
- T1203: Implement software development cybersecurity methodologies within centralized and decentralized environments across the enterprise
- T1204: Determine cybersecurity measures for steady state operation and management of software
- T1205: Incorporate product end-of-life cybersecurity measures
- T1222: Determine security requirements for new information technologies
- T1223: Determine security requirements for new operational technologies
- T1258: Perform integrated quality assurance testing
- T1269: Conduct risk analysis of applications and systems undergoing major changes
- T1302: Address security implications in the software acceptance phase
- T1309: Analyze system capabilities and requirements
- T1318: Integrate security requirements into application design elements
- T1319: Document software attack surface elements
- T1320: Conduct threat modeling
- T1354: Identify system cybersecurity requirements
- T1359: Perform penetration testing
- T1400: Design and develop secure applications
- T1422: Develop software documentation
- T1509: Analyze feasibility of software design within time and cost constraints
- T1513: Conduct trial runs of programs and software applications
- T1528: Develop software system testing and validation procedures
- T1529: Create software system documentation
- T1590: Identify programming flaws
- T1624: Conduct vulnerability analysis of software patches and updates
- T1625: Prepare vulnerability analysis reports
- T1658: Determine customer requirements
- T1913: Identify system security requirements
- K0068: Knowledge of programming language structures and logic
- K0674: Knowledge of computer networking protocols
- K0675: Knowledge of risk management processes
- K0676: Knowledge of cybersecurity laws and regulations
- K0677: Knowledge of cybersecurity policies and procedures
- K0678: Knowledge of privacy laws and regulations
- K0679: Knowledge of privacy policies and procedures
- K0680: Knowledge of cybersecurity principles and practices
- K0681: Knowledge of privacy principles and practices
- K0682: Knowledge of cybersecurity threats
- K0683: Knowledge of cybersecurity vulnerabilities
- K0684: Knowledge of cybersecurity threat characteristics
- K0693: Knowledge of complex data structure capabilities and applications
- K0695: Knowledge of programming principles and practices
- K0710: Knowledge of enterprise cybersecurity architecture principles and practices
- K0711: Knowledge of evaluation and validation principles and practices
- K0712: Knowledge of Local Area Networks (LAN)
- K0713: Knowledge of Wide Area Networks (WAN)
- K0721: Knowledge of risk management principles and practices
- K0722: Knowledge of software development principles and practices
- K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
- K0729: Knowledge of non-repudiation principles and practices
- K0730: Knowledge of cyber safety principles and practices
- K0734: Knowledge of Risk Management Framework (RMF) requirements
- K0735: Knowledge of risk management models and frameworks
- K0737: Knowledge of bandwidth management tools and techniques
- K0738: Knowledge of low-level programming languages
- K0739: Knowledge of mathematics principles and practices
- K0744: Knowledge of operating system (OS) systems and software
- K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
- K0751: Knowledge of system threats
- K0752: Knowledge of system vulnerabilities
- K0755: Knowledge of configuration management (CM) tools and techniques
- K0757: Knowledge of system design tools and techniques
- K0759: Knowledge of client and server architecture
- K0762: Knowledge of software debugging principles and practices
- K0763: Knowledge of software design tools and techniques
- K0764: Knowledge of software development models and frameworks
- K0765: Knowledge of software engineering principles and practices
- K0767: Knowledge of structured analysis principles and practices
- K0768: Knowledge of automated systems analysis tools and techniques
- K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
- K0782: Knowledge of web service protocols
- K0791: Knowledge of defense-in-depth principles and practices
- K0803: Knowledge of supply chain risk management principles and practices
- K0813: Knowledge of interpreted and compiled programming language characteristics
- K0814: Knowledge of secure coding tools and techniques
- K0820: Knowledge of supply chain risks
- K0826: Knowledge of software security principles and practices
- K0827: Knowledge of software quality assurance (SQA) principles and practices
- K0828: Knowledge of supply chain risk management standards and best practices
- K0839: Knowledge of critical infrastructure systems and software
- K0846: Knowledge of secure software deployment principles and practices
- K0847: Knowledge of secure software deployment tools and techniques
- K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
- K0871: Knowledge of enterprise architecture (EA) principles and practices
- K0877: Knowledge of application firewall principles and practices
- K0878: Knowledge of network firewall principles and practices
- K0915: Knowledge of network architecture principles and practices
- K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
- K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
- K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
- K0920: Knowledge of risk management policies and procedures
- K0948: Knowledge of embedded systems and software
- K0955: Knowledge of penetration testing principles and practices
- K0956: Knowledge of penetration testing tools and techniques
- K0957: Knowledge of root cause analysis tools and techniques
- K0983: Knowledge of computer networking principles and practices
- K1014: Knowledge of network security principles and practices
- K1079: Knowledge of web application security risks
- K1093: Knowledge of black-box software testing
- K1099: Knowledge of code analysis tools and techniques
- K1117: Knowledge of coding and testing standards
- K1118: Knowledge of completion criteria
- K1126: Knowledge of cost constraints
- K1128: Knowledge of customer requirements
- K1137: Knowledge of cybersecurity requirements
- K1148: Knowledge of data manipulation principles and practices
- K1149: Knowledge of data retrieval principles and practices
- K1150: Knowledge of data storage principles and practices
- K1157: Knowledge of enterprise-wide version control systems
- K1165: Knowledge of independent testing methods
- K1205: Knowledge of required reporting formats
- K1208: Knowledge of risk acceptance and documentation
- K1214: Knowledge of security restrictions
- K1215: Knowledge of security testing tools and techniques
- S0175: Skill in performing root cause analysis
- S0465: Skill in identifying critical infrastructure systems
- S0466: Skill in identifying systems designed without security considerations
- S0543: Skill in scanning for vulnerabilities
- S0544: Skill in recognizing vulnerabilities
- S0562: Skill in creating mathematical models
- S0563: Skill in creating statistical models
- S0569: Skill in designing security controls
- S0574: Skill in developing security system controls
- S0616: Skill in applying black-box software testing
- S0617: Skill in interpreting signatures
- S0655: Skill in designing secure test plans
- S0657: Skill in implementing Public Key Infrastructure (PKI) encryption
- S0658: Skill in implementing digital signatures
- S0825: Skill in communicating with engineering staff
- S0829: Skill in conducting customer interviews
- S0878: Skill in performing risk analysis
- S0883: Skill in performing static code analysis
Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)