SP-DEV-001 Software Developer

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.

Develops, creates, maintains, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs.

Knowledges 44

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0014 Knowledge of complex data structures. 2
K0016 Knowledge of computer programming principles 3
K0027 Knowledge of organization's enterprise information security architecture. 9
K0028 Knowledge of organization's evaluation and validation requirements. 8
K0039 Knowledge of cybersecurity and privacy principles and methods that apply to software development. 2
K0044 Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
K0050 Knowledge of local area and wide area networking principles and concepts including bandwidth management. 6
K0051 Knowledge of low-level computer languages (e.g., assembly languages). 4
K0060 Knowledge of operating systems. 13
K0066 Knowledge of Privacy Impact Assessments. 6
K0068 Knowledge of programming language structures and logic. 4
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). 13
K0073 Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org). 5
K0079 Knowledge of software debugging principles. 2
K0080 Knowledge of software design tools, methods, and techniques. 2
K0081 Knowledge of software development models (e.g., Waterfall Model, Spiral Model). 4
K0082 Knowledge of software engineering. 7
K0084 Knowledge of structured analysis principles and methods. 6
K0086 Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. 5
K0105 Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language). 2
K0139 Knowledge of interpreted and compiled computer languages. 8
K0140 Knowledge of secure coding techniques. 3
K0152 Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization). 2
K0153 Knowledge of software quality assurance process. 2
K0154 Knowledge of supply chain risk management standards, processes, and practices. 7
K0170 Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 12
K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 19
K0199 Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]). 6
K0202 Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). 4
K0260 Knowledge of Personally Identifiable Information (PII) data security standards. 16
K0261 Knowledge of Payment Card Industry (PCI) data security standards. 17
K0262 Knowledge of Personal Health Information (PHI) data security standards. 17
K0263 Knowledge of information technology (IT) risk management policies, requirements, and procedures. 3
K0322 Knowledge of embedded systems. 10
K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. 14
K0342 Knowledge of penetration testing principles, tools, and techniques. 8
K0343 Knowledge of root cause analysis techniques. 2
K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 13

Skills 14

Code Description Work Roles
S0001 Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. 6
S0014 Skill in conducting software debugging. 1
S0017 Skill in creating and utilizing mathematical or statistical models. 3
S0019 Skill in creating programs that validate and process multiple inputs including command line arguments, environmental variables, and input streams. 1
S0022 Skill in designing countermeasures to identified security risks. 5
S0031 Skill in developing and applying security system access controls. 5
S0034 Skill in discerning the protection needs (i.e., security controls) of information systems and networks. 6
S0060 Skill in writing code in a currently supported programming language (e.g., Java, C++). 7
S0135 Skill in secure test plan design (e. g. unit, integration, system, acceptance). 3
S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). 5
S0149 Skill in developing applications that can log and handle errors, exceptions, and application faults and logging. 1
S0174 Skill in using code analysis tools. 3
S0175 Skill in performing root cause analysis. 3
S0367 Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14

Abilities 5

Code Description Work Roles
A0007 Ability to tailor code analysis for application-specific concerns. 1
A0021 Ability to use and understand complex mathematical concepts (e.g., discrete math). 2
A0047 Ability to develop secure software according to secure software deployment methodologies, tools, and practices. 1
A0123 Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 15
A0170 Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. 11

Tasks 34

Code Description Work Roles
T0267 Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements. 1
T0303 Identify and leverage the enterprise-wide version control system while designing and developing secure applications. 1
T0311 Consult with customers about software system design and maintenance. 2
T0324 Direct software programming and development of documentation. 2
T0337 Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel. 3
T0416 Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate. 1
T0417 Identify and leverage the enterprise-wide security services while designing and developing secure applications (e.g., Enterprise PKI, Federated Identity server, Enterprise Antivirus solution) when appropriate. 1
T0436 Conduct trial runs of programs and software applications to ensure that the desired information is produced and instructions and security levels are correct. 2
T0455 Develop software system testing and validation procedures, programming, and documentation. 1
T0500 Modify and maintain existing software to correct errors, to adapt it to new hardware, or to upgrade interfaces and improve performance. 1
T0009 Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application. 1
T0011 Analyze user needs and software requirements to determine feasibility of design within time and cost constraints. 1
T0013 Apply coding and testing standards, apply security testing tools including "'fuzzing" static-analysis code scanning tools, and conduct code reviews. 2
T0014 Apply secure code documentation. 2
T0022 Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules. 2
T0026 Compile and write documentation of program development and subsequent revisions, inserting comments in the coded instructions so others can understand the program. 1
T0034 Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces. 1
T0040 Consult with engineering staff to evaluate interface between hardware and software. 2
T0046 Correct errors by making appropriate changes and rechecking the program to ensure that desired results are produced. 1
T0057 Design, develop, and modify software systems, using scientific analysis and mathematical models to predict and measure outcome and consequences of design. 1
T0077 Develop secure code and error handling. 1
T0100 Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. 2
T0111 Identify basic common coding flaws at a high level. 2
T0117 Identify security implications and apply methodologies within centralized and decentralized environments across the enterprise’s computer systems in software development. 2
T0118 Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. 2
T0171 Perform integrated quality assurance testing for security functionality and resiliency attack. 2
T0176 Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities. 1
T0181 Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. 5
T0189 Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language. 1
T0217 Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing. 2
T0228 Store, retrieve, and manipulate data for analysis of system capabilities and requirements. 4
T0236 Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. 2
T0553 Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities. 2
T0554 Determine and document software patches or the extent of releases that would leave software vulnerable. 2