How to write verifier job requisitions

How to write verifier job requisitions
If you are responsible for hiring staff to perform application security verifications, you can use OWASP ASVS to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.

Example: Software Assurance Engineer, Jr
The OWASP ASVS level 1 requirements can be used to help write a job requisition for a junior-level software assurance engineer:

Sample Job Description:

''The ideal candidate will be proficient in basic system administration and application development, but not necessarily possess experience performing application security verifications. Perform automated verification of minimum risk applications. Use automated tools augmented with manual verification according to OWASP ASVS verification requirements. Perform manual verification to verify that each automated finding is correct and not a false positive. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by identifying individual or groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

Example: Software Assurance Engineer, Mid
The OWASP ASVS level 2 requirements can be used to help write a job requisition for a middle-level software assurance engineer:

Sample Job Description:

''The ideal candidate will be proficient in performing application security verifications, but not necessarily according to the OWASP ASVS. Perform manual verification of applications that handle personal transactions, business-to-business transactions, process credit card information, or process personally identifiable information according to OWASP ASVS verification requirements. Run automated tools and use just manual techniques. Use automated tool results to support manual analysis. Verify that all security controls make decisions using a whitelist approach and that security controls cannot be bypassed. Perform manual penetration testing. Perform manual source code review. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components). Define components by identifying individual and groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

Example: Software Assurance Engineer, Sr
The OWASP ASVS level 3 and 4 requirements can be used to help write a job requisition for a senior-level software assurance engineer:

Sample Job Description:

'' The ideal candidate will provide subject matter expertise in application security verifications, but not necessarily according to the OWASP ASVS. Perform design verification of applications that handle significant business-to-business transactions, including those that process healthcare information, implement business critical or sensitive functions, or process other sensitive assets according to OWASP ASVS verification requirements. Perform internal verification of critical applications that protect life and safety, critical infrastructure, or defense functions according to OWASP ASVS verification requirements. Ensure that security controls themselves are working correctly, and that security controls are used everywhere within the application that they need to be used to enforce application-specific policies. Ensure that secure coding practices were followed. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components), including defining the relationships between components and groups of components. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

Postscript
The author of this article can be reached at boberski_michael(at)bah.com

Good luck!