1. Software Development Lifecycle (SDLC) Knowledge
- Familiarity with how software is designed, developed, tested, deployed, and maintained.
2. Regulatory and Compliance Knowledge
- NIST Cybersecurity Framework (CSF)
- Executive Order 14028 (Improving the Nation's Cybersecurity)
- SPDX or CycloneDX for SBOM formats
3. Risk Management
- Ability to identify and assess risks associated with software components, including vulnerabilities in
third-party libraries.
- Third party cyber risk assessments
4. Communication and Collaboration
- Skills in collaborating with developers, third parties and stakeholders to ensure compliance and
resolve issues.
Technical Expertise:
1. Software Composition Analysis (SCA) Tools
2. Programming and Scripting Languages
- Knowledge of languages like Python, Java, JavaScript, or C++ to trace dependencies and identify
vulnerabilities.
3. Dependency and Package Management
- Experience with package managers (e.g., npm, Maven, Pip, Gradle) and dependency trees.
4. Vulnerability Databases
- Familiarity with CVE (Common Vulnerabilities and Exposures), NVD (National Vulnerability
Database), or OSV (Open Source Vulnerabilities).
5. SBOM Standards and Tools
- SPDX (Software Package Data Exchange)
- CycloneDX
- Experience with tools that generate or analyze SBOMs (Dependency Track)
6. Open Source Software (OSS) Licensing
- Ability to analyze licensing terms and identify compliance issues in OSS components.
7. Security Frameworks
- Knowledge of security best practices (e.g., OWASP Top 10, secure coding standards).

Preferred Technical and Professional Expertise
Cloud and Container Security
- Familiarity with cloud-native and containerized environments (e.g., Docker, Kubernetes).
Database and Data Analysis
- Capability to query and analyze data from SBOM reports or vulnerability scans.
Continuous Integration/Continuous Deployment (CI/CD)
- Understanding of CI/CD pipelines and how SBOMs integrate into DevSecOps workflows