Job Descriptions

Other Titles Include:

• Secure software developer/programmer
• Software testing and evaluation specialists
• Vulnerability analyst / assessor

Note: This role is most commonly found in large or medium-sized organizations. 

Reporting relationship

To be completed by the user of this job description as appropriate

Job purpose / summary

Given references, organizational security documentation, cyber security guidance and required tools and resources, analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Duties and responsibilities

• Define/validate business needs for security & security requirements
• Review and analyze security IT architectures & design documents, as well as related systems, protocols, services, controls, appliances, applications, encryption and crypto algorithms relative to security requirements and industry standards
• Research, analyze and implement secure application development processes and techniques;
• Analyze the security data and provide advisories and reports
• Develop and conduct software system or application testing and validation procedures, programming, and secure coding, and report on functionality and resiliency;
• Develop and review system use cases
• Conduct vulnerability scans and reviews on software systems or applications, and examine controls and measures required to protect software systems or applications;
• Prepare reports on software systems, development and applications, patches or releases that would leave systems vulnerable;
• Develop countermeasures against potential exploitations of vulnerabilities in systems;
• Perform risk analysis whenever an application or system undergoes a change; and
• Prepare technical reports such as IT security solutions option analysis and implementation plans
• Provide Independent Verification and Validation (IV&V) on software projects
• Advise on software security policies, plans and practices
• Review, develop and deliver training materials

Competencies:

Basic application of the following KSAs:

• Security architecture concepts and enterprise information security architecture model
• Security assessment and authorization processes
• Software procurement processes and supply chain integrity assessments
• IT security systems testing and evaluations tools, procedures and practices

Advanced application of the following KSAs:

• Software engineering models, processes and principles
• Software development lifecycle and software project management
• Secure coding/software development operations processes, procedures, practices, tools and techniques
• Business needs for security including compliance requirements
• Data security characteristics and requirements
• Security controls for software development
• Software development standards
• Secure software standards
• Secure software testing and evaluation methodologies and processes
• Vulnerability assessment and penetration testing methodologies and applications
• Developing and testing threat models
• Vulnerability scanning, assessment and analysis
• Penetration testing activities and techniques
• Investigating and analyzing software vulnerabilities and breaches
• Establishing and managing a secure software/ web application testing environment
• Advising on security requirements, policies, plans and activities
• Drafting and providing briefings and reports to different audience levels (users, managers, executives)

Tools and Technology:

• Software development tools, processes and protocols
• Threat and risk assessment tools and methodologies
• Protective and defensive systems including firewalls, anti-virus software and systems, intrusion detection and protection systems, scanners and alarms
• Open source software and application security information (e.g. OWASP)
• Security event and incident management systems and/or incident reporting systems and networks
• Software security testing and evaluation tools and techniques
• Authentication software and systems,
• Vulnerability management processes and vulnerability assessment systems including penetration testing if used
• Common vulnerability data bases
• Software development social collaboration sites (e.g. GITHUB)
• Security services provided if applicable

Direct reports (if appropriate)

To be completed by the user of this job description as appropriate

Qualifications

Education. Relevant computer science degree or diploma related to programming, software design or software development, or equivalent training and experience

Certifications. Valid industry level certification in related secure software development and software security testing

Other relevant qualifications.

Typically follows formal education and 5-10 years’ experience in the software development field. This role often requires advanced training, education or experience related to secure software and vulnerability assessment activities for software / application security.

Key Attributes.

To be completed by the user of this job description as appropriate

Experience. Moderate experience (3-5 years) in software development followed by moderate experience (3-5 years) in secure software development activities.

Working conditions (if required)

If the job requires a person to work in special working conditions this should be stated in the job description. Special working conditions cover a range of circumstances from regular evening and weekend work, shift work, working outdoors, working with challenging clients, and so forth.

Physical requirements (if appropriate)

If the job is physically demanding, this should be stated in the job description. A physically demanding job is one where the incumbent is required to stand for extended periods of time, lift heavy objects on a regular basis, do repetitive tasks with few breaks, and so forth.