POSITION SUMMARY: Members of the Software approval process (SWAP) Review all non-Standard software and analyze results. Prepare reports and recommendations that document test and evaluation results to provide evaluations of program and system vulnerabilities as they relate to the reviewed software. Based upon Key Component request, reviews open source and foreign owned software in order to make a risk determination associated with its use and makes risk acceptance recommendation to the DAO.
Review and test security configuration baselines for facilities, systems, and processes, and ensure the continuing validity of baselines
Prepare reports and recommendations that document test and evaluation results
Conduct Software assurance testing using software vulnerability testing tools
Conduct Foreigner Owned Controlled and Influence assessments
Conduct Software Approval Open Source assessments
Conduct NGA developed custom code assessments
Position supports Agency efforts to evaluate mission-related software (commercial, government, and open source) to determine the risk of using software within the Agency. It requires employment of software code analysis techniques to mitigate risk during Software Development Life Cycles (SDLC)
Position also supports Agency Software Whitelist Assurance Process (SWAP), an automated paperless enterprise process for submission and adjudication of NGA software requests. It requires use of source-code analysis or research to identify whether software contains vulnerabilities or is foreign owned, controlled, or influenced
Position also supports Secure Code Review efforts to enable the analysis of custom applications and software used by NGA
Seasoned technical individual contributor
Works independently with limited supervision
May manage projects / processes
Coaches and reviews the work of lower level professionals
Problems faced are difficult and sometimes complex
Influences others regarding system design, solutions, and procedures
EDUCATION & EXPERIENCE:
Typically requires a bachelor's degree or equivalent and ten to twelve years related experience. Master's degree or doctorate in field mathematics, telecommunications, electrical engineering, computer engineering, or computer science is preferred
DoD 8570 Certification IAT or IAM Level III within 6 months of hire
Knowledge in software development using Java, Microsoft .NET (C# or VB) OR C/C++ 5+ years. Knowledge of common build tools (e.g. ant, make, maven, msbuild, etc.)
Knowledge in developing and/or deploying web applications. Knowledge of software, computer, and network architectures
Knowledge and experience in enterprise security or application security. Prior experience working with Federal government organizations (DoD, Civilian agencies)
Be highly motivated, competitive, entrepreneurial and attracted to challenging opportunities. Have demonstrated the ability to work in a fast-paced environment where organizational skills are essential; have strong problem solving, analytical, interpersonal, and ownership skills
Possess excellent collaboration skills with a wide variety of internal team members. Be an intelligent, self-starting, self-confident individual with integrity and accountability. Possess strong written and verbal communication skills as well as presentation skills
Determine the risk of using commercial, government, and open source software within Agency
Investigate the software’s provenance and history of use within Agency
Categorize software based on potential risk indicators
Coordinate with internal and external Offices of Primary Responsibility (e.g., Counter-Intelligence) to determine risks related to foreign owned, controlled, or influenced software
Identify vulnerabilities and verify that vulnerabilities are mitigated
Provide input for generating Memorandum of Approvals using the SWAP tool
Consult with SWAP tool developers to provide user stories, participate in planning meetings and demonstrations to enable adjustments to the SWAP tool
Provide Information System Owner’s guidance on effective implementation of NGA software code analysis tool(s) during the SDLC to include:
Plan scanning resource requirements.
Specify what source code will be evaluated.
Integrate scans within software build processes.
Provide subject matter expertise for integrating software code analysis within NGA DevOps environments:
Integrate code analysis tools with DevOps software development and test tools and processes.
Update and maintain code analysis tools in NGA’s DevOps environments.
Develop processes for analyzing scan reports within the DevOps cadence.
Analyze problem reports and identify corrective actions to remediate security issues in code prior to the software transitioning from development to operations
Recommend new code analysis tools and innovative techniques to strengthen software assurance processes
Knowledge of Mobile application security testing experience a plus
Experience with multiple operating systems is strongly desired
CISSP, CSSLP, CISA, CEH, and/or MCSE/MCITP certifications are preferable
PHYSICAL DEMANDS: Normal demands associated with an office environment. Ability to work on computer for long periods, and communicate with individuals by telephone, email and face to face. Some travel may be required.