Job #4926 - Vulnerability Analyst

CERT Coordination Center, Networked Systems Survivability Program

SUMMARY

The Vulnerability Analysis Team within the CERT Program’s CERT Coordination Center (CERT/CC) is a group of internet security experts that serve as a trusted and neutral coordination body, dedicated to remediating software vulnerabilities and providing practical guidance for customers, system administrators, security researchers, and the global internet security community to reduce the amount of time software systems are vulnerable. The primary roles of the Vulnerability Analysis Team include:

• Software vulnerability analysis including black box testing, source code examination, and attack reproduction
• Customer, vendor, and reporter correspondence
• Publication of technical documents and remediation information
• Tool specification and development

The individual in this position must be self-motivated and will have the opportunity to serve as a strong contributor and technical leader in the analysis, coordination, and remediation of software vulnerabilities.

The intent is for this position to be primarily located in Washington D.C., but this position could be located in Pittsburgh, PA with travel to the Washington D.C. area on a regular basis.

ESSENTIAL FUNCTIONS

1. Analyze vulnerability reports using tools, processes, and techniques designed to provide fact-based analysis to other stakeholders in the vulnerability disclosure process.
2. Research, specify, and develop new tools, processes and techniques to improve vulnerability analysis methodology and to support interaction with stakeholders.
3. Correspond with software vendors, vulnerability researchers, sponsors, and other stakeholders.
4. Communicate analytical results in various technical communities to promote collaboration and shared understanding of vulnerability preconditions and impacts.
5. Write and publish short to medium-length documents describing vulnerability mitigation strategies and root-cause analyses.
6. Represent CERT/CC in other forums (e.g., conferences, workshops, etc.)
7. Provide assistance and input to other teams and projects within the SEI.
8. Be on call to respond to Internet emergencies (outside of normal business hours)
9. Review work of and act as mentor to other team members

MINIMUM QUALIFICATIONS

Bachelor of Science in Computer Science, Information Science, Information Management with three years applicable experience as a system or network administrator, software developer, database administrator or similarly technical occupation; or Master of Science in Computer Science, Information Science or Information or equivalent with one year applicable experience.

* We will consider other educational backgrounds in a technical discipline with experience as described.

Experience: Candidates should have experience working with the government community;
at least three years of experience in a Windows and Unix/Linux environment and be able to demonstrate substantial knowledge of at least four of the following:

• various internet protocols (e.g., TCP/IP, DNS, BGP, SMTP, HTTP)
• computer system and Internet security issues
• various security technologies (e.g., encryption, firewalls, and anti-virus products)
• software runtime analysis, debugging, and security testing techniques
• security auditing practices
• underlying software defects that routinely result in security vulnerabilities (e.g., input validation errors)
• understanding of intruder techniques and software exploitation methods
• system, database, and/or network administration
• operational details of multiple operating systems
• cryptographic principles and common cryptographic protocols
• one or more programming languages (e.g., C/C++, Perl, or Java)
• vulnerability management concepts and tools
  

Skills/Abilities:

• have an interest in and have extensive knowledge of network and computer security issues
• have the ability to analyze software to discover vulnerabilities
• be able to develop and explain technical decisions
• be able to separate fact from opinion and speculation
• have excellent work prioritization, planning, and organizational skills
• interact effectively with vulnerability reporters, system and network administrators, vendors, experts, Internet users, sponsors, policy makers, news reporters, managers and staff (i.e., stakeholders in the vulnerability disclosure process)
• be able to work with closely coordinated team during emergencies
• excellent analytical, reasoning, and creative problem solving skills
• excellent written, oral communication skills
• recognize and deal appropriately with confidential and sensitive information
• be able to work meticulously with careful attention to detail
• be able to collaborate effectively and work closely within a coordinated team environment
• be able to quickly learn new procedures, techniques, and approaches
• maintain composure while dealing with difficult people
• communicate and work effectively under normal and stressful situations
• meet inflexible deadlines
• possess strong leadership and mentoring abilities
• be motivated to tackle challenging problems

OTHER

Mobility: Primarily sedentary, long periods of sitting. Ability to travel to various locations within the SEI and CMU community, customer sites, conferences, and offsite meetings with some frequency.

Environmental Conditions: Normal office conditions; however close contact with computer for prolonged periods of time.

Mental: The ability to work well under pressure of deadlines.

Other: Candidate must be able to pass a background check, obtain a security clearance, and be a U.S. citizen.

To apply please go to
Careers@CarnegieMellon

The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

Copyright 2006 Carnegie Mellon University.

See the conditions for use, disclaimers, and copyright information.

This page was last updated July 08, 2008