We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber Security: Research development and design

Published
5 October 2021
Directorate
Digital Directorate
Part of
Business, industry and innovation, Economy

Find out about the job roles that comprise the Cyber Security - Research development and design job family practice.

This document is part of a collection

Secure design

Role summary

The role of Secure Design covers testing or assurance to ensure that security is embedded in all stages of the application development life cycle, and that there is continuous monitoring through use. Roles in this area will also advise on and test the efficacy of measures to build security into continuous integration and deployment pipelines.

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked in penetration testing, application security or development security operations

Skills required in secure design

  • Secure design. Secure design is the ability to apply Cyber Security functions or designs to reduce high-level to low-level service exploitation opportunities. Secure design includes designing countermeasures and mitigations against potential exploitations of service weaknesses for applications, systems, hardware and/or services.
  • Secure development. Secure development allows for the implementation of secure systems, products and components, using appropriate methodologies and frameworks. It includes the development, creation, maintenance and coding of new (or modification of existing) computer applications, software or bespoke utility programs for business outcomes.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.

 

Secure design associate

Typical role level expectations

  • Embed ‘secure by design’ principles into application development, integrating security tools, standards, and processes into product life cycles
  • Support the assessment of application resilience throughout an IT estate, generating regular application security reports to provide information about statistics and trends
  • Follow processes, provide standardised advice on tooling for, and conduct dynamic and static analysis in the product development life cycle
  • Work with development teams to embed secure development life cycle and security awareness, and ensure appropriate tools and skills exist

Skills needed for this role

  • Secure design (Relevant skill level: working). At this level you:
    • Produce high-level design and develops processes for maintaining the security of a service through its full life cycle
    • Understand and can define secure design principles, frameworks and standards for designing a digital service
    • Explain processes that maintain the required level of security of a component, product, or system through its life cycle
    • Apply secure code/hardware documentation
    • Confer with stakeholders such as engineers and programmers to design high-level applications/services
    • Scope security audits in accordance with a digital service framework
  • Secure development (Relevant skill level: working). At this level you:
    • Develop services by writing programming and scripting language
    • Take a lead in conducting software debugging and guides developers/engineers to resolve issues
    • Create and deliver automated assurance against Technical Security guidance and configurations
    • Implement business logic and technical solutions to design out fraud and error
    • Build and implement security audit points in digital services
    • Drive secure coding practices and champions them in the engineering community
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: awareness). At this level you:
    • Describe specific threats and how they may manifest themselves in a local environment
    • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
    • Use local threat information in decision-making and planning
    • Demonstrate knowledge of current threats and trends affecting the landscape

 

Secure design lead

Typical role level expectations

  • Manage the embedment of ‘secure by design’ principles into application development by providing specialist internal consultancy and integrating security tools, standards, and processes into product life cycles
  • Manage the assessment of application resilience throughout an IT estate, reviewing regular application security reports, and prioritising based on risk appetite and business requirements
  • Manage processes, provide tailored advice on tooling for, and conduct dynamic and static analysis in the product development life cycle
  • Ensure appropriate channels for vulnerability disclosure exist in line with policy, and any bounty programme is effectively managed to ensure identified vulnerabilities are quickly remediated

Skills needed for this role

  • Secure design (Relevant skill level: practitioner). At this level you:
    • Lead and create documentation of a digital service and subsequent revisions, inserting comments in the coded instructions so it can be understood by others, including engineers
    • Lead the preparation of detailed workflow and diagrams that describe input, output and logical operation of a digital service
    • Produce low-level design and develops processes for maintaining the security of a service through its full life cycle
    • Lead and translate security requirements into application design elements including documenting specific security criteria
    • Create audit points in the software development life cycle process by designing audit compliance
  • Secure development (Relevant skill level: practitioner). At this level you:
    • Develop services by writing programming and scripting language
    • Lead software debugging and guides developers/engineers to resolve issues
    • Create and delivers automated assurance against Technical Security guidance and configurations
    • Implement business logic and technical solutions to design out fraud and error
    • Build and implement security audit points in digital services
    • Drive secure coding practices and champions them, including in the engineering community
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation

 

Secure design principal

Typical role level expectations

  • Lead the embedment of ‘secure by design’ principles into application development by providing advice and internal consultancy on highly complex criteria and contexts
  • Lead multi-team assessment of application resilience throughout an IT estate, reviewing regular application security reports, holding accountability and responsibility for secure design implementation
  • Lead and assure processes, and provide SME thought leadership on tooling and dynamic and static analysis in the product development life cycle
  • Lead development teams alongside senior cross-government decision makers to embed secure development life cycle and security awareness, and ensure appropriate tools and skills exist

Skills needed for this role

  • Secure design (Relevant skill level: expert). At this level you:
    • Champion secure design principles, frameworks and standards for a digital service or programme
    • Sponsor and directs design of detailed low-level workflows, diagrams that describe input, output and logical operation of a digital service. Designs and develops the processes of a digital service through its full life cycle
    • Lead and translate security requirements into application design elements including documenting specific security criteria
    • Design advanced audit points into digital services
  • Secure development (Relevant skill level: expert). At this level you:
    • Lead the implementation of secure development principles, software and hardware debugging. Guides developers/engineers
    • Develop services by writing advanced programming and scripting language
    • Create and deliver automated assurance against Technical Security guidance and configurations
    • Implement security remediation and performs root cause analysis
    • Lead the development of advanced security audit points in digital services
    • Drive secure coding practices and champions them, including in the engineering community
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability

 

 

Contact

ddat@gov.scot

Back to top