Position Summary: We are looking for someone familiar with compilers (particularly dataflow analysis or other forms of static analysis) to work on projects developing techniques for automatically repairing source code to remove certain common classes of vulnerabilities.
Software vulnerabilities constitute a major threat to many of our nation’s mission-critical systems. Static analysis tools help identify these bugs, but they typically are used late in the development process and produce an enormous number of warnings, overwhelming the ability of the development team to fix the code. Automated code repair holds the potential to eliminate security vulnerabilities much faster and at a much lower cost than manual repair.
The Secure Coding team of the world-renowned CERT division of the Software Engineering Institute is a pioneer of the identification and development of secure coding and secure software development practices. Joining the Secure Coding team, you will work with world-class cyber security experts to help software developers and software development organizations reduce vulnerabilities resulting from coding errors before they are deployed. We identify common programming errors that lead to software vulnerabilities, establish standard secure coding standards, educate software developers, and advance the state of the practice in secure coding that leads to secure software systems.
The successful candidate will participate in research and engineering projects related to developing secure software systems, write reports and deliver presentations that explain the findings of their work, and work directly with customers to help transition our work into practice.
Minimum Qualifications and Requirements:
Education/Training: BS in Computer Science or Software Engineering with 3 years of applicable experience, or equivalent knowledge and ability. Familiarity with compilers at least to the level of an undergrad compilers course, especially dataflow analysis. Firm grasp of data structures and algorithms.
Successful candidates will have the ability to:
- Develop and analyze source code in C and C++
- Build and configure various software build environments, and build custom tools to integrate and automate the use of software building and analysis tools
- Analyze data from multiple sources, generate defensible results, and represent them in reporting products and interactions with customers, sponsors, and the public
- Contribute in a team environment with other team members with varying skills, experience and locations
- Recognize and deal appropriately with confidential and sensitive information such as source code and software weaknesses and vulnerabilities
- Develop and explain technical decisions and recommendations effectively with technical and non-technical audiences through verbal and written communications that lead to actionable and measurable improvements
- Work meticulously with careful attention to detail required to identify defects and weaknesses in source code of large software systems, and to identify opportunities for improvements to the development process.
- Be self-motivated and capable of self-learning to maintain a working knowledge of the ever-changing software development landscape.
Mobility: Primarily sedentary, long periods of sitting; ability to travel to various locations within the SEI and Carnegie Mellon community, customer sites, conferences, and offsite meetings with some frequency.
Environmental Conditions: Normal office conditions, close contact with computer for prolonged periods of time.
Mental: Ability to work under pressure and changing priorities; pay attention to detail; meet inflexible deadlines; deal with difficult individuals while maintaining composure.
Other: Candidates will be subject to a background check and must be eligible to obtain and maintain a Department of Defense security clearance.
Preferred Qualifications and Requirements:
Education/Training: MS in Computer Science or Software Engineering, with 1 year of applicable experience.
Skills/Abilities: Thorough knowledge of the C programming language. Basic familiarity with x86 assembly language. Ability to read and write code in Python. Ability to write an analysis pass for LLVM. Ability to develop software that exhibits desired security properties. Ability to evaluate software for desired security properties.
Accountability: Contributes to program objectives and plans development.
Direction: Performs under minimal supervision, independent judgment is encouraged. Most normal duties and responsibilities are handled independently with the use of established procedures and policies. Difficult or unique situations are referred to the supervisor. Ability to work directly on-site at a customer location with minimal direct supervision from direct supervisor.
Decisions: Participate in conferences and workshops where security-related issues are discussed as required.
Job Functions or Responsibilities:
40% Contribute to internally funded research projects, developing experimentation environments, evaluating secure software development practices, and communicating results internally and externally in reports and presentations.
30% Directly support customer work in secure coding, verification and validation techniques, and technical training. Tailor our current offerings to provide value to customers by evaluating their software, software development, and software acquisition/procurement practices, and providing improvement recommendations. Communicate the findings of such evaluations through reports and presentations. Build new tools and capabilities that improve our ability to meet customer needs.
15% Codify knowledge that has been gained through customer and research projects to expand and update knowledge transfer materials, such as Secure Coding guidelines, training materials, and tools.
15% Develop knowledge and understanding of SEI capabilities; learn how SEI capabilities can be applied to customer problems; work directly with SEI staff supporting the community with disciplines related to secure coding and secure development.
100% TOTAL EFFORT
Organizational Chart: CERT Director < CERT/CSF Technical Director < CERT/Secure Coding Technical Manager < Associate Software Engineer.
Carnegie Mellon University is an EEO/Affirmative Action Employer – M/F/Disability/Veteran