Software Development

Software Development

Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.



Below are the associated Work Roles. Click the arrow to expand/collapse the Work Role information and view the associated Core and Additional KSATs (Knowledge, Skills, Abilties, and Tasks). Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. Click on the other blue links to further explore the information.
Secure Software Assessor Work Role ID: 622 (NIST: SP-DEV-002) Workforce Element: Cybersecurity

Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
56

Knowledge of cybersecurity principles and methods that apply to software development.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
90

Knowledge of operating systems.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
109

Knowledge of secure configuration management techniques.

Knowledge
177

Skill in designing countermeasures to identified security risks.

Skill
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
417

Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.

Task
432

Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.

Task
467

Consult with engineering staff to evaluate interface between hardware and software.

Task
515B

Develop secure software testing and validation procedures.

Task
634

Identify basic common coding flaws at a high level.

Task
645

Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.

Task
764A

Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.

Task
770

Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

Task
826

Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.

Task
865

Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.

Task
972A

Determine and document software patches or the extent of releases that would leave software vulnerable.

Task
973A

Skill in using code analysis tools.

Skill
976

Knowledge of software quality assurance process.

Knowledge
1020A

Skill in secure test plan design (e. g. unit, integration, system, acceptance).

Skill
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037A

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge
1071

Knowledge of secure software deployment methodologies, tools, and practices.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
20

Knowledge of complex data structures.

Knowledge
23

Knowledge of computer programming principles such as object-oriented design.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
72

Knowledge of local area and wide area networking principles and concepts including bandwidth management.

Knowledge
74

Knowledge of low-level computer languages (e.g., assembly languages).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
100

Knowledge of Privacy Impact Assessments.

Knowledge
102

Knowledge of programming language structures and logic.

Knowledge
116

Knowledge of software debugging principles.

Knowledge
117

Knowledge of software design tools, methods, and techniques.

Knowledge
118

Knowledge of software development models (e.g., Waterfall Model, Spiral Model).

Knowledge
119

Knowledge of software engineering.

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
124

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge
149

Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.

Knowledge
168

Skill in conducting software debugging.

Skill
191

Skill in developing and applying security system access controls.

Skill
408A

Analyze and provide information to stakeholders that will support the development of security a application or modification of an existing security application.

Task
414A

Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates.

Task
418

Apply secure code documentation.

Task
459A

Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.

Task
465

Develop threat model based on customer interviews and requirements.

Task
515C

Develop system testing and validation procedures, programming, and documentation.

Task
602

Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.

Task
644

Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
756

Perform integrated quality assurance testing for security functionality and resiliency attack.

Task
850

Store, retrieve, and manipulate data for analysis of system capabilities and requirements.

Task
904

Knowledge of interpreted and compiled computer languages.

Knowledge
905

Knowledge of secure coding techniques.

Knowledge
936

Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Task
968

Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).

Knowledge
969

Perform penetration testing as required for new or updated applications.

Task
975

Skill in integrating black box security testing tools into quality assurance process of software releases.

Skill
978A

Knowledge of root cause analysis techniques.

Knowledge
979

Knowledge of supply chain risk management standards, processes, and practices.

Knowledge
980A

Skill in performing root cause analysis.

Skill
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1135

Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).

Knowledge
1140A

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Skill
2156

Consult with customers about software system design and maintenance.

Task
2335

Direct software programming and development of documentation.

Task
2839

Supervise and assign work to programmers, designers, technologists and technicians and other engineering and scientific personnel.

Task
3080

Ability to use and understand complex mathematical concepts (e.g., discrete math).

Ability
6932

Knowledge of mobile device (Android/iOS) development structures, principles, platforms, containers, languages, and the specific vulnerabilities associated with mobile device development.

Knowledge
6944

Skill in implementing defensive programming techniques.

Skill
Software Developer Work Role ID: 621 (NIST: SP-DEV-001) Workforce Element: Software Engineering

Executes software planning, requirements, risk management, design, development, architecture, modeling, estimation, configuration management, quality, security, and tests using software development methodologies, architectural structures, viewpoints, styles, design decisions, and frameworks across all lifecycle phases.

Core KSATs

KSAT ID Description KSAT
20

Knowledge of complex data structures.

Knowledge
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
23

Knowledge of computer programming principles such as object-oriented design.

Knowledge
56

Knowledge of cybersecurity principles and methods that apply to software development.

Knowledge
90

Knowledge of operating systems.

Knowledge
95B

Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).

Knowledge
102

Knowledge of programming language structures and logic.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
116

Knowledge of software debugging principles.

Knowledge
117

Knowledge of software design tools, methods, and techniques.

Knowledge
118A

Knowledge of software development models, methodologies, and practices (Waterfall Model, Spiral, Agile, DevSecOps).

Knowledge
119

Knowledge of software engineering.

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
124

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge
149

Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.

Knowledge
168

Skill in conducting software debugging.

Skill
174

Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams.

Skill
185A

Skill in developing applications that can log and handle errors, exceptions, and application faults and logging.

Skill
191A

Knowledge of development and application of security system access controls.

Knowledge
408

Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.

Task
414

Analyze user needs and software requirements to determine feasibility of design within time and cost constraints.

Task
417

Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.

Task
418

Apply secure code documentation.

Task
432

Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.

Task
446

Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program.

Task
459A

Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.

Task
461

Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces.

Task
467

Consult with engineering staff to evaluate interface between hardware and software.

Task
477

Correct errors by making appropriate changes and rechecking the program to ensure desired results are produced.

Task
506

Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design.

Task
515A

Develop software system testing and validation procedures, programming, and documentation.

Task
543

Develop secure code and error handling.

Task
634

Identify basic common coding flaws at a high level.

Task
709A

Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance.

Task
764

Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities.

Task
785

Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language.

Task
865

Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.

Task
904A

Knowledge of interpreted and compiled computer languages.

Knowledge
905A

Skill in applying secure coding techniques.

Skill
905

Knowledge of secure coding techniques.

Knowledge
968

Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).

Knowledge
970A

Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities.

Task
973A

Skill in using code analysis tools.

Skill
1071A

Ability to develop secure software according to secure software deployment methodologies, tools, and practices.

Ability
1151

Identify and leverage the enterprise-wide version control system while designing and developing secure applications.

Task
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2335

Direct software programming and development of documentation.

Task
5200

Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.

Task
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
72

Knowledge of local area and wide area networking principles and concepts including bandwidth management.

Knowledge
74

Knowledge of low-level computer languages (e.g., assembly languages).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
100

Knowledge of Privacy Impact Assessments.

Knowledge
109

Knowledge of secure configuration management techniques.

Knowledge
172

Skill in creating and utilizing mathematical or statistical models.

Skill
177

Skill in designing countermeasures to identified security risks.

Skill
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
515A

Develop software system testing and validation procedures, programming, and documentation.

Task
602

Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.

Task
644

Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.

Task
645

Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.

Task
756

Perform integrated quality assurance testing for security functionality and resiliency attack.

Task
826

Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.

Task
850

Store, retrieve, and manipulate data for analysis of system capabilities and requirements.

Task
971

Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements.

Task
972A

Determine and document software patches or the extent of releases that would leave software vulnerable.

Task
976

Knowledge of software quality assurance process.

Knowledge
978A

Knowledge of root cause analysis techniques.

Knowledge
979

Knowledge of supply chain risk management standards, processes, and practices.

Knowledge
980A

Skill in performing root cause analysis.

Skill
1020A

Skill in secure test plan design (e. g. unit, integration, system, acceptance).

Skill
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037A

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1135

Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).

Knowledge
1140A

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Skill
1149A

Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate.

Task
1150A

Identify and leverage the enterprise-wide security services while designing and developing secure applications (e.g., Enterprise PKI, Federated Identity server, Enterprise AV solution) when appropriate.

Task
2156

Consult with customers about software system design and maintenance.

Task
2839

Supervise and assign work to programmers, designers, technologists and technicians and other engineering and scientific personnel.

Task
3080

Ability to use and understand complex mathematical concepts (e.g., discrete math).

Ability
3822A

Skill in managing user relationships, including determining user needs/requirements, managing user expectations, and demonstrating commitment to delivering quality results.

Skill
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability
6919

Ability to determine the best cloud deployment model for the appropriate operating environment.

Ability
6942

Skill in designing or implementing cloud computing deployment models.

Skill
6945

Skill in migrating workloads to, from, and among the different cloud computing service models.

Skill
7097

Knowledge of planning for long-term maintainability using architectural structures, viewpoints, styles, design decisions and frameworks, and the underlying data structures.

Knowledge