Cabinet Office
Penetration Testing of new website
21 Incomplete applications
15 SME, 6 large
23 Completed applications
23 SME, 0 large
Important dates
- Published
- Wednesday 13 January 2021
- Deadline for asking questions
- Friday 15 January 2021 at 11:59pm GMT
- Closing date for applications
- Wednesday 20 January 2021 at 11:59pm GMT
Overview
- Specialist role
- Cyber security consultant
- Summary of the work
- Cabinet Office will be launching a website for the honours system and we are seeking a supplier to bid on performing penetration testing.
- Latest start date
- Friday 29 January 2021
- Expected contract length
- 5 days
- Location
- No specific location, for example they can work remotely
- Organisation the work is for
- Cabinet Office
- Maximum day rate
About the work
- Early market engagement
- Who the specialist will work with
- Web developer
- What the specialist will work on
- To check the security of new public-facing website, ensuring it will be impervious to malicious actors/hackers.
Work setup
- Address where the work will take place
- Work can be done remotely
- Working arrangements
- Work can be done remotely.
- Security clearance
- N/A
Additional information
- Additional terms and conditions
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
- Essential skills and experience
-
- Have experience in cyber security
- Can provide a web application security assessment
- Nice-to-have skills and experience
How suppliers will be evaluated
All suppliers will be asked to provide a work history.
- How many specialists to evaluate
- 3
- Cultural fit criteria
-
- take responsibility for their work
- can work with clients with low technical expertise
- Additional assessment methods
- Evaluation weighting
-
Technical competence
50%Cultural fit
5%Price
45%
Questions asked by suppliers
-
1. Will the incumbent be applying for the role?
This is a new website so there is no incumbent performing this testing currently. -
Please can you advise the indicative day rate?
We are asking suppliers to provide their pricing for the project. We have no set day rate. - 2. Will the incumbent be applying for the role?
- This is a new website so there is no incumbent performing this testing currently.
- 3. Please can you advise the indicative day rate?
- We are asking suppliers to provide their pricing for the project. We have no set day rate.
- 4. What penetration test certificates does the buyer require?
- CREST certification
- 5. Is there a current incumbent in this role?
- No
- 6. Is the website tested & deployed via a pipeline? Can the penetration testing work to be added to the pipeline so that any changes to the website are automatically penetration tested with a security gate to prevent an insecure deployment?
- No, we don't use a pipeline
- 7. What is budget for this activity?
- We are asking suppliers to provide their pricing for the project. We have no set day rate.
- 8. Are you able to provide access to the current build of the website for us to review?
- Yes
-
9. Please can you confirm the following:
How many static pages are on the site?
How many dynamic/interactive pages are on the site?
Is there a user registration/login mechanic?
Is there an admin panel/CMS in scope?
If an admin panel/CMS is in scope, how many user role types are there? - 16 static pages. No interactive pages. Users will not be offered registration, but the site administrator and editors will log into the site here: honours.cabinetoffice.gov.uk/wp-admin. WordPress offers 7 user role types but we will only be using Administrator and Editor for this site.
- 10. Could you confirm please what certification is required? Specifically is CHECK required?
- Yes, CHECK and CREST certification are both required
- 11. Can you please advise on whether there is an incumbent in place and if the role is considered inside of outside of IR35?
- There is no incumbent.
-
12. "Web Application
What is the URL/IP address, if publicly accessible?
If not how are the applications accessed?
Please give a brief summary on what the application is used for?
What functionality exists before login, and approximate number of pages (e.g. login, register, forgotten password)?
What functionality exists after login, and approximate number of pages (e.g. add to basket, payment, write blog post, account management – change password)?
How many user roles are there and what additional functionality can they access?
Where is the application hosted (cloud etc.)?" -
honours.cabinetoffice.gov.uk
IP address - 35.187.113.57
A public-facing website to showcase the work of the Honours Secretariat
Login only for editors and admin to update the site pages (add news stories, events etc) and plugins. Approx 30 pages so far.
WordPress offers 7 user role types but we will only be using Administrator and Editor for this site.
Hosted with WPEngine (dedicated/managed WordPress hosts) -
13. "Optional
Which programming language(s) is the application written in?
Which platform(s) is the web server running?" -
"WordPress site. PHP, MySql, HTML, CSS, Javascript, JQuery
Hosted with WPEngine - https://wpengine.com/" -
14. "Web API services (if applicable)
What is the business purpose of this web service?
How many web service endpoints are there in scope?
What are the number of functions per web service?
Is the Web Service specification/documentation available for scoping and/or testing purposes?
What technology are the web services using? (e.g. HTTP – SOAP/RESTFUL or Non-HTTP)
Do the web services require authentication?
Are the web services consumed by normal usage of an application?" -
"API- not applicable
A public-facing website to showcase the work of the Honours Secretariat
Website address:
https://honours.cabinetoffice.gov.uk
Fairly basic WordPress website - no forms, no registration necessary for users. Most pages are text and images. Some embedded videos.
Login for website admin and editors - https://honours.cabinetoffice.gov.uk/wp-admin" - 15. In your response to Q4 you state CREST is a requirement, but then in your response to Q10 you indicate CREST and CHECK are a requirement. Please clarify whether BOTH are mandatory or whether CREST only applications will qualify.
- We need CREST approved test provided by a CHECK approved company.
- 16. Based on your response to question, please can you confirm if this is a CHECK test or not.
- We need CREST approved test provided by a CHECK approved company.
- 17. Please can you confirm if CHECK certification is an essential requirement or whether other certifications such as CREST are acceptable.
- We need CREST approved test provided by a CHECK approved company.
- 18. Clarification on previous question: Are you able to provide a link to the current build now in your answer so that we’re able to review and use for our proposal? Or are you planning to provide this to the shortlisted applicants that get into the next round?
- This will be provided to shortlisted candidates only.
-
19. "Answers to previous Q&A say you are looking for a price, ie 5x the day rate we quote.
Please can you confirm that you are looking for a single “point-in-time” test after which our work is completed. A supplier could retest if a deficiency is found provided this was remediated with say a fortnight of the initial test, but ongoing repeat testing is a different requirement altogether." - Yes, that's correct. We're looking for a single 'point-in-time' test. (And possible repeat depending on the results, but not ongoing repeats.) Thanks.
- 20. Please can you confirm that your understanding of the PenTest’ers role is to test. Remediation is not the PenTest’ers responsibility and that corrective action, if necessary, is taken by others.
- Yes, we looking for Pen Test only.