CERT
 
CERT Contact Information CERT Statistics Meet CERT Publications by CERT Staff Presentations by CERT Staff Employment Opportunities
 

Job #3985 - Vulnerability Analyst, MTS-C

CERT Coordination Center, Networked Systems Survivability Program

SUMMARY

The Vulnerability Analysis Team within the CERT Program’s CERT Coordination Center (CERT/CC) is a group of internet security experts that serves as a trusted and neutral coordination body, dedicated to remediating software vulnerabilities and providing practical guidance for customers, system administrators, security researchers, and the global internet security community to reduce the amount of time software systems are vulnerable. The primary roles of the Vulnerability Analysis Team include:

  • software vulnerability analysis
  • customer, vendor, and reporter correspondence
  • publication of technical documents and remediation information
  • tool specification and development

The individual in this position must be self-motivated and will have the opportunity to serve as a strong contributor and technical leader in the analysis, coordination, and remediation of software vulnerabilities.

The intent is for this position to be primarily located in Washington D.C., but this position could be located in Pittsburgh, PA with travel to the Washington D.C. area on a regular basis.

ESSENTIAL FUNCTIONS

  1. Analyze vulnerability reports using tools, processes, and techniques designed to provide fact-based analysis to other stakeholders in the vulnerability disclosure process.
  2. Research, specify, and develop new tools, processes, and techniques to improve vulnerability analysis methodology and to support interaction with stakeholders.
  3. Correspond with software vendors, vulnerability researchers, sponsors, and other stakeholders.
  4. Communicate analytical results in various technical communities to promote collaboration and shared understanding of vulnerability preconditions and impacts.
  5. Write and publish short- to medium-length documents describing vulnerability mitigation strategies and root-cause analyses.
  6. Represent CERT/CC in other forums (e.g., conferences, workshops, etc.)
  7. Provide assistance and input to other teams and projects within the SEI.
  8. Be on call to respond to internet emergencies (outside of normal business hours)
  9. Review work of, and act as mentor to, other team members

MINIMUM QUALIFICATIONS

Education and Training: Bachelor of Science in Computer Science, Information Science, Information Management, and eight years applicable experience as a system or network administrator, software developer, database administrator, or similarly technical occupation; or Master of Science in Computer Science, Information Science, Information Management or equivalent with five years applicable experience.

* We will consider other educational backgrounds in a technical discipline with experience as described.

Experience: Candidates should have experience working with the government community;
at least 5 years of experience in a Windows and Unix/Linux environment, and be able to demonstrate substantial knowledge of at least four of the following:

  • various internet protocols (e.g., TCP/IP, DNS, BGP, SMTP, HTTP)
  • computer system and internet security issues
  • various security technologies (e.g., encryption, firewalls, and anti-virus products)
  • software runtime analysis, debugging, and security testing techniques
  • security auditing practices
  • underlying software defects that routinely result in security vulnerabilities (e.g., input validation errors)
  • understanding of intruder techniques and software exploitation methods
  • system, database, and/or network administration
  • operational details of multiple operating systems
  • cryptographic principles and common cryptographic protocols
  • one or more programming languages (e.g., C/C++, Perl, or Java)
  • vulnerability management concepts and tools

Skills/Abilities:

Successful candidates will
  • have an interest in and have extensive knowledge of network and computer security issues
  • have the ability to analyze software to discover vulnerabilities
  • be able to develop and explain technical decisions
  • be able to separate fact from opinion and speculation
  • have excellent work prioritization, planning, and organizational skills
  • interact effectively with vulnerability reporters, system and network administrators, vendors, experts, internet users, sponsors, policy makers, news reporters, managers, and staff (i.e., stakeholders in the vulnerability disclosure process)
  • have excellent analytical, reasoning, and creative problem solving skills
  • have excellent written, oral communication skills
  • recognize and deal appropriately with confidential and sensitive information
  • be able to work meticulously with careful attention to detail
  • be able to collaborate effectively and work closely within a coordinated team environment
  • be able to quickly learn new procedures, techniques, and approaches
  • maintain composure while dealing with difficult people and situations
  • meet inflexible deadlines
  • possess strong leadership and mentoring abilities
  • be motivated to tackle challenging problems

PREFERRED QUALIFICATIONS

Education/Training: Ph.D in Computer Science, Information Science, or Information Management or equivalent with three years experience.

We will consider other educational backgrounds in a technical discipline with experience as described.

Experience:

Ideal candidates will have substantial experience in two or more of the following areas:

  • industrial/process control systems
  • web application development
  • computer and network architecture
  • reverse engineering
  • software development
  • computer and network architecture
  • network security and survivability issues, to include knowledge of and experience with information security concepts, information security best practices and bodies of knowledge, computer security incident response management

Other:

Fluent oral and written communication in Spanish or other foreign language.

OTHER

Mobility: Primarily sedentary, long periods of sitting. , Ability to travel to various locations within the SEI and CMU community, customer sites, conferences, and off-site meetings with some frequency.

Environmental Conditions: Normal office conditions; however close contact with computer for prolonged periods of time.

Mental: The ability to work well under pressure of deadlines.

Other: Candidate must be able to pass a background check, obtain a security clearance, and be a U.S. citizen.


Resumes from recruiting firms will not be accepted.

To apply please go to
Careers@CarnegieMellon

Carnegie Mellon is an Affirmative Action/Equal Opportunity Employer.

The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

Copyright 2006 Carnegie Mellon University.

See the conditions for use, disclaimers, and copyright information.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office.

This page was last updated April 22, 2008