Position Summary: The Vulnerability Analysis Team, within the CERT Program’s CERT Coordination Center (CERT/CC), is a group of internet security experts that serve as a trusted and neutral coordination body, dedicated to remediating software vulnerabilities and providing practical guidance for customers, system administrators, security researchers, and the global internet security community to reduce the amount of time software systems are vulnerable.
The primary roles of the Vulnerability Analysis Team include:
- Software vulnerability analysis including black box testing, source code examination, and attack reproduction
- Customer, vendor, and reporter correspondence
- Publication of technical documents and remediation information
- Tool specification and development
The individual in this position must be self-motivated and will have the opportunity to serve as a strong contributor and technical leader in the analysis, coordination, and remediation of software vulnerabilities.
The intent is for this position to be primarily located in Pittsburgh, PA with occasional travel to the Washington D.C. area on a monthly basis.
Minimum Qualifications and Requirements:
Education: Bachelor of Science in Computer Science, Information Science, Information Management with three (3) years applicable experience as a system or network administrator, software developer, database administrator or similarly technical occupation; or Master of Science in Computer Science, Information Science or Information or equivalent with one year applicable experience. We will consider other educational backgrounds in a technical discipline with experience as described.
Experience: Candidates should have experience working with the government community; at least three years of experience in a Windows and Unix/Linux environment and be able to demonstrate substantial knowledge of at least four of the following:
- various internet protocols (e.g., TCP/IP, DNS, BGP, SMTP, HTTP) computer system and Internet security issues various security technologies (e.g., encryption, firewalls, and anti-virus products) software runtime analysis, debugging, and security testing techniques
- security auditing practices
- underlying software defects that routinely result in security vulnerabilities (e.g., input validation errors)
- understanding of intruder techniques and software exploitation methods
- system, database, and/or network administration
- operational details of multiple operating systems
- cryptographic principles and common cryptographic protocols
- one or more programming languages (e.g., C/C++, Perl, or Java)
- vulnerability management concepts and tools
Skills/Abilities: Successful candidates will:
- have an interest in and have extensive knowledge of network and computer security issues
- have the ability to analyze software to discover vulnerabilities
- be able to develop and explain technical decisions
- be able to separate fact from opinion and speculation
- have excellent work prioritization, planning, and organizational skills
- interact effectively with vulnerability reporters, system and network administrators, vendors, experts, Internet users, sponsors, policy makers, news reporters, managers and staff (i.e., stakeholders in the vulnerability disclosure process)
- be able to work with closely coordinated teams during emergencies
- have excellent analytical, reasoning, and creative problem solving skills
- have excellent written and oral communication skills
- recognize and deal appropriately with confidential and sensitive information
- be able to work meticulously with careful attention to detail
- be able to collaborate effectively and work closely within a coordinated team environment
- be able to quickly learn new procedures, techniques, and approaches
- maintain composure while dealing with difficult people
- communicate and work effectively under normal and stressful situations
- meet inflexible deadlines
- possess strong leadership and mentoring abilities
- be motivated to tackle challenging problems
Mobility: Primarily sedentary, long periods of sitting. Ability to travel to various locations within the SEI and CMU community, customer sites, conferences, and offsite meetings with some frequency.
Environmental Conditions: Normal office conditions; however close contact with computer for prolonged periods of time.
Mental: The ability to work well under pressure of deadlines
Other: Candidates will be subject to a background check and must be eligible to obtain and maintain a Department of Defense security clearance.
Preferred Qualifications and Requirements:
Education/Training: Master of Science in Computer Science, Information Science or Information or equivalent with one year applicable experience; or Ph.D in Computer Science, Information Science or Information. We will consider other educational backgrounds in a technical discipline with experience as described.
Experience: Ideal candidates will have substantial experience in two or more of the following areas:
- industrial/process control systems
- web application development
- computer and network architecture
- reverse engineering
- software development
- computer and network architecture
- network security and survivability issues, to include knowledge of and experience with information security concepts, information security best practices and bodies of knowledge, and computer security incident response management
Accountability: Develop and implement project technical results. Contribute to program objectives and plans development. Keep in confidence sensitive information such as security, vulnerability, and site-specific information.
Direction: Regular interaction with supervisor. Expected to act in accordance with SEI and CERT program procedures and policies, such as those involving product development, team interaction, and confidentiality.
Decisions: Must accurately represent the program in interactions with customers, sponsors, and the public. Participate in conferences and workshops where security-related issues are discussed as required.
Supervisory Responsibilities: Contributes to hiring decisions of program staff; appraises performance of support staff.
Job Functions or Responsibilities:
40% Analyze vulnerability reports using tools, processes, and techniques designed to provide fact-based analysis to other stakeholders in the vulnerability disclosure process.
20% Research, specify, and develop new tools, processes and techniques to improve vulnerability analysis methodology and to support interaction with stakeholders.
10% Correspond with software vendors, vulnerability researchers, sponsors, and other stakeholders.
10% Communicate analytical results in various technical communities to promote collaboration and shared understanding of vulnerability preconditions and impacts.
5% Write and publish short to medium-length documents describing vulnerability mitigation strategies and root-cause analyses.
5% Represent CERT in other forums (e.g., conferences, workshops, etc.).
5% Provide assistance and input to other teams and projects within the SEI.
5% On call to respond to Internet emergencies (outside of normal business hours).
100% TOTAL EFFORT
Organizational Chart: CERT Program Director < Threat Analysis Technical Director < Vulnerability Analysis Technical Manager < Vulnerability Analyst
Carnegie Mellon University is an EEO/Affirmative Action Employer – M/F/Disability/Veteran