Position Summary: This is an entry level position that is responsible for acting as the primary coordinator for all software vulnerabilities reported to the CERT Vulnerability Analysis team. CERT receives vulnerability reports through a variety of sources, mainly from the Vulnerability Reporting Form (VRF) on the cert.org website and direct correspondence from researchers, usually through the firstname.lastname@example.org email address. The individual will lead customer, vendor, and reporter coordination, and will write vulnerability reports to be published in the CERT website. These vulnerability notes will include detailed technical descriptions of a given vulnerability in addition to any mitigation recommendations. This individual will also be responsible for software vulnerability analysis including black box testing, source code examination, and attack reproduction. The individual in this position must be self-motivated and will have the opportunity to serve as a strong contributor in the analysis, coordination, and remediation of software vulnerabilities.
Minimum Qualifications and Requirements:
Education/Training: Bachelor’s degree in Computer Science or related field, or equivalent in education and Minimum of three (3) years’ experience' or Master's degree in Computer Science or related field with one (1) year experience or combination of experience and training.
Experience: This is an entry level position that provides an opportunity for an individual with the educational background and interest to gain experience in the field of computer security. The individual in this position should have the interest or classroom experience studying system or network administration, software development, database administration, or similarly technical areas. Candidates should have experience in a Windows and Unix/Linux environment and be able to demonstrate substantial knowledge of at least four of the following: various internet protocols (e.g., TCP/IP, DNS, BGP, SMTP, HTTP); computer system and Internet security issues; various security technologies (e.g., encryption, firewalls, and anti-virus products); software runtime analysis, debugging, and security testing techniques; security auditing practices; underlying software defects that routinely result in security vulnerabilities (e.g., input validation errors); understanding of intruder techniques and software exploitation methods; system, database, and/or network administration; operational details of multiple operating systems; cryptographic principles and common cryptographic protocols; one or more programming languages (e.g., C/C++, Perl, or Java); vulnerability management concepts and tools.
Skills/Abilities: Successful candidates will: have an interest in and have extensive knowledge of network and computer security issues; have the ability to analyze software to discover vulnerabilities; be able to develop and explain technical decisions; be able to separate fact from opinion and speculation; have excellent work prioritization, planning, and organizational skills; interact effectively with vulnerability reporters, system and network administrators, vendors, experts, Internet users, sponsors, policy makers, news reporters, managers and staff (i.e., stakeholders in the vulnerability disclosure process); be able to work with closely coordinated team during emergencies; excellent analytical, reasoning, and creative problem solving skills; excellent written, oral communication skills; recognize and deal appropriately with confidential and sensitive information; be able to work meticulously with careful attention to detail; be able to collaborate effectively and work closely within a coordinated team environment; be able to quickly learn new procedures, techniques, and approaches; maintain composure while dealing with difficult people; communicate and work effectively under normal and stressful situations; meet inflexible deadlines; possess strong leadership and mentoring abilities; be motivated to tackle challenging problems.
Physical Mobility: Sedentary.
Environmental Conditions: Close contact with computer displays for prolonged periods.
Mental: Ability to work under pressure; work concurrently on multiple programs in different stages, pay attention to detail; meet inflexible deadlines; deal with difficult individuals while maintaining composure.
Other: U.S. Citizenship is required. Applicants will be subject to a security investigation and must meet eligibility requirements for access to classified information, and must be able to pass a background investigation.
Preferred Qualifications and Requirements:
Experience: Ideal candidates will have substantial experience in two or more of the following areas: industrial/process control systems; web application development; computer and network architecture; reverse engineering; software development; computer and network architecture; network security and survivability issues, to include knowledge of and experience with information security concepts, information security best practices and bodies of knowledge, computer security incident response management.
Accountability: This position is accountable for: Coordinating all software vulnerabilities reported to the CERT Vulnerability Analysis team; leading customer, vendor, and reporter coordination; producing vulnerability reports to be published.
Direction: Expected to perform under general supervision. Most normal duties and responsibilities are handled independently with the use of established research protocol and departmental and university procedures and policies. Difficult or unique situations are referred to the supervisor.
Decisions: Suggests possible solutions to colleagues and users.
Supervisory Responsibilities: This position does not supervise others.
JOB FUNCTIONS OR RESPONSIBILITIES:
40% Analyzes incoming vulnerability reports to determine technical validity and merit. Coordinates response strategy with affected vendors. Publishes corresponding vulnerability notes.
40% Performs vulnerability discovery and validation using in-house CERT fuzzing tools.
10% Attends required meetings and participates in various seminars and training classes to maintain or update skills needed.
5% Submits regular work progress reports to supervisor.
5%Performs related duties as assigned.
100% TOTAL EFFORT
ORGANIZATIONAL CHART: CERT Director->CERT/CC Technical Director->Vulnerability Analysis Technical Manager->Vulnerability Analysis Team Lead->Vulnerability Analyst
Carnegie Mellon University is an EEO/Affirmative Action Employer – M/F/Disability/Veteran