Job Description
Software Analyst supports the mission of the National Information Assurance Partnership by conducting in-depth software assurance and Software Bill of Materials (SBOM) analysis for commercial technologies seeking evaluation, authorization, or deployment within National Security Systems (NSS) and other sensitive U.S. Government environments.
This role focuses heavily on software supply chain transparency, software provenance, open-source software (OSS) risk analysis, vulnerability identification, and vendor cybersecurity practices. The analyst evaluates software components, dependencies, development practices, and third-party supplier risks to identify potential threats to the confidentiality, integrity, and availability of government systems.
The position requires strong technical analysis, cybersecurity knowledge, and the ability to assess software ecosystems from both a security and supply chain perspective.
Key Responsibilities
- Conduct Software Bill of Materials (SBOM) analysis on commercial software products, platforms, and applications undergoing evaluation or review.
- Analyze software dependencies, transitive dependencies, and third-party libraries to identify supply chain risks and hidden software exposure.
- Review and validate SBOM formats and standards including:
SPDX
CycloneDX
SWID tags
- Assess software provenance, code lineage, package integrity, and software component authenticity.
- Identify known vulnerabilities and software weaknesses through:
CVE analysis
KEV review
Vulnerability databases
Threat intelligence sources
- Evaluate risks associated with:
Open-source software (OSS)
Foreign-developed software components
Unsupported or end-of-life dependencies
Unmaintained libraries
Software obfuscation or lack of transparency
- Perform secure software supply chain assessments aligned with:
NIST SSDF
Executive Order 14028
Federal software assurance guidance
NIAP protection profile requirements
- Conduct due diligence research on software vendors, developers, maintainers, and software ecosystems.
- Analyze vendor secure development practices including:
Secure coding methodologies
Build pipeline security
CI/CD protections
Dependency management
Patch management
Code signing
- Review software development and deployment architectures for potential supply chain attack vectors.
- Support Common Criteria evaluations and software assurance activities through technical risk analysis and supply chain assessments.
- Produce technical reports, analytical findings, risk summaries, and executive-level briefings related to software supply chain security.
- Collaborate with government, industry, evaluation labs, and cybersecurity stakeholders to improve software assurance practices and SBOM utilization.
Monitor emerging software supply chain threats, malware campaigns, dependency compromise incidents, and malicious package activity.
Security Clearance Requirements
- TS/SCI w/Polygraph to start.
Preferred Education & Certifications
- (U) Fourteen (14) years experience as a SE in programs and contracts of similar scope, type and complexity is required. Bachelor’s degree in System Engineering, Computer Science, Information Systems, Engineering Science, Engineering Management, or related discipline from an accredited college or university is required. Five (5) years of additional SE experience may be substituted for a bachelor’s degree.
- Preferred certifications may include:
CISSP
CSSLP
Security+
GIAC certifications
Certified SCRM Professional
Cloud security certifications
Application security certifications
Salary: $190,000-$220,000. This represents the typical salary range for this position, but is not guaranteed. Salary is based on experience, location and contractual requirements which could fall outside of the range listed.
,
Required Skills
- Experience in software supply chain security, cybersecurity analysis, application security, or SCRM.• Strong understanding of:
Software Bills of Materials (SBOMs)
Open-source software ecosystems
Software composition analysis (SCA)
Vulnerability management
Secure software development
Common Criteria
NIAP evaluation concepts
NIST cybersecurity guidance
Federal software security initiatives
- Knowledge of software package managers and ecosystems such as:
npm
PyPI
Maven
NuGet
GitHub repositories
- Ability to analyze complex software dependency structures and identify risk indicators.
- Experience writing technical analytical reports and communicating findings to technical and non-technical audiences.
LCAT Domain Experience Needed:
- IA and cybersecurity architectures, concepts, principles, use cases, and standards;
DoD, IC, and other federal government (e.g., NIST) policy, directives, and instructions relevant to IA and cybersecurity strategic planning and direction.
,
Desired Skills
- Experience with SBOM and software analysis tools such as:
Dependency-Track
Syft
Grype
Black Duck
Snyk
Sonatype Nexus
Mend.io
Anchore
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Malware analysis
Reverse engineering
Code signing validation
Supply chain attacks
Dependency confusion
Typosquatting
Build system compromise
Malicious open-source package activity
- Experience evaluating software vendor security maturity and secure development lifecycle practices.
Knowledge of cloud-native software architectures and container security.
,
About Tensley Consulting, Inc.
About TensleyTensley Consulting is a Service-Disabled Veteran-Owned Small Business focused on mission engineering in support of the United States Intelligence Community and the Department of Defense. Our team consists of System Engineers, Software Engineers, Test Engineers, and Signals Analysts performing work throughout the Continental United States (CONUS) and Outside the Continental United States (OCONUS).
Equal Opportunity, Diversity & InclusionWe aim to build a team that represents a variety of backgrounds, perspectives, and skills. We embrace inclusion and ensure equal employment opportunity without discrimination or harassment based on race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity or expression, age, disability, national origin, marital or domestic/civil partnership status, genetic information, citizenship status, military or veteran status, or any other personal characteristic.
Benefits Include
100% paid medical coverage with HSA and company contribution
100% paid vision, dental, short-term, and long-term premium
12% 401(k) contribution (not a match)
Education and training budget
6 weeks and 3 days of PTO
And much more!
Come grow with us!