Security Engineer

Definition

Security Engineer

the role that is played when a person implements the security requirements and countermeasures

Classification

As illustrated in the preceding figure, Security Engineer is part of the following inheritance hierarchy:

• Type: Concrete
• Superclass: Engineer
• Subclasses:
  • None

Responsibilities

The typical role-specific responsibilities of a Security Engineer are to:

• Implement security requirements and mechanisms for components, applications, contact centers, and data centers.
• Install and configure security components (e.g., locks, firewalls, and security cameras).
• Take part in design and code inspections for security defects.
• Provide input into the design and coding standards.

Security Engineer typically inherits the general role responsibilities from the role method component.

Expertise

To fulfill these responsibilities, security engineers typically should have the following expertise, training, and knowledge:

• Expert knowledge of and experience with security engineering tasks, techniques (e.g., passwords, encryption/decryption, digital signatures), and tools.
• Expert knowledge of security architectural mechanisms and components (e.g., firewalls).
• Solid knowledge of security requirements.
• Expert knowledge of the programming languages to be used including their idioms and coding standards.
• Solid knowledge of applications, contact centers, and data centers.
• Basic knowledge of the customer’s business and application domain(s).
• Knowledge of one or more platforms to be used.
• A bachelor’s degree in software engineering, computer science, or the equivalent.
• One of the following security certifications:
  • Certified Information Systems Security Professionals (CISSP).
  • System Security Certified Practitioner (SSCP).
  • Certified Information Systems Auditors (CISA).

Tasks

Security engineers typically perform the following role-specific tasks in an iterative, incremental, parallel, and time-boxed manner:

• Security Architecting:
  • Architecture Prototyping
• Implementation (of security components):
  • Acquisition (e.g., firewalls, virus protection)
  • Programming
  • Debugging
• Deployment:
  • Application Installation (security components)
• Quality Control:
  • Certified Information Systems Auditors (CISA).
  • Certified Information Systems Security Professionals (CISSP).
  • Global Information Assurance Certification (GIAC).
  • System Security Certified Practitioner (SSCP).

Security engineers typically inherit common role tasks from the role method component.

Teams

Security Engineer typically performs these tasks as members of the following teams:

• Security Team
• Architecture Team
• Software Development Team
• Evaluation Teams:
  • Environments Evaluation Team
  • Architecture Evaluation Team
  • Software Evaluation Team

Work Products

As members of these teams, security engineers typically produce all or part of the following work products:

• Architecture Work Products:
  • Software Architecture Prototype
• Implementation Work Products:
  • Hardware Component
  • Software Component
• Quality Work Products:
  • Inspection Report
  • Inspection Summary Report

Guidelines

• Security engineers should work closely with security analysts and security architects.
• On small projects, the same person may play the security analyst, security architect, and security engineer roles.
• This role typically inherits the common team guidelines from the roles process component.