Awarded to Prism Infosec

Start date: Tuesday 16 February 2021
Value: £900
Company size: SME
Cabinet Office

Penetration Testing of new website

21 Incomplete applications

15 SME, 6 large

23 Completed applications

23 SME, 0 large

Important dates

Published
Wednesday 13 January 2021
Deadline for asking questions
Friday 15 January 2021 at 11:59pm GMT
Closing date for applications
Wednesday 20 January 2021 at 11:59pm GMT

Overview

Specialist role
Cyber security consultant
Summary of the work
Cabinet Office will be launching a website for the honours system and we are seeking a supplier to bid on performing penetration testing.
Latest start date
Friday 29 January 2021
Expected contract length
5 days
Location
No specific location, for example they can work remotely
Organisation the work is for
Cabinet Office
Maximum day rate

About the work

Early market engagement
Who the specialist will work with
Web developer
What the specialist will work on
To check the security of new public-facing website, ensuring it will be impervious to malicious actors/hackers.

Work setup

Address where the work will take place
Work can be done remotely
Working arrangements
Work can be done remotely.
Security clearance
N/A

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Have experience in cyber security
  • Can provide a web application security assessment
Nice-to-have skills and experience

How suppliers will be evaluated

All suppliers will be asked to provide a work history.

How many specialists to evaluate
3
Cultural fit criteria
  • take responsibility for their work
  • can work with clients with low technical expertise
Additional assessment methods
Evaluation weighting

Technical competence

50%

Cultural fit

5%

Price

45%

Questions asked by suppliers

1. Will the incumbent be applying for the role?

This is a new website so there is no incumbent performing this testing currently.
Please can you advise the indicative day rate?

We are asking suppliers to provide their pricing for the project. We have no set day rate.
2. Will the incumbent be applying for the role?
This is a new website so there is no incumbent performing this testing currently.
3. Please can you advise the indicative day rate?
We are asking suppliers to provide their pricing for the project. We have no set day rate.
4. What penetration test certificates does the buyer require?
CREST certification
5. Is there a current incumbent in this role?
No
6. Is the website tested & deployed via a pipeline? Can the penetration testing work to be added to the pipeline so that any changes to the website are automatically penetration tested with a security gate to prevent an insecure deployment?
No, we don't use a pipeline
7. What is budget for this activity?
We are asking suppliers to provide their pricing for the project. We have no set day rate.
8. Are you able to provide access to the current build of the website for us to review?
Yes
9. Please can you confirm the following:

How many static pages are on the site?
How many dynamic/interactive pages are on the site?
Is there a user registration/login mechanic?
Is there an admin panel/CMS in scope?
If an admin panel/CMS is in scope, how many user role types are there?
16 static pages. No interactive pages. Users will not be offered registration, but the site administrator and editors will log into the site here: honours.cabinetoffice.gov.uk/wp-admin. WordPress offers 7 user role types but we will only be using Administrator and Editor for this site.
10. Could you confirm please what certification is required? Specifically is CHECK required?
Yes, CHECK and CREST certification are both required
11. Can you please advise on whether there is an incumbent in place and if the role is considered inside of outside of IR35?
There is no incumbent.
12. "Web Application
What is the URL/IP address, if publicly accessible?
If not how are the applications accessed?
Please give a brief summary on what the application is used for?

What functionality exists before login, and approximate number of pages (e.g. login, register, forgotten password)?
What functionality exists after login, and approximate number of pages (e.g. add to basket, payment, write blog post, account management – change password)?
How many user roles are there and what additional functionality can they access?
Where is the application hosted (cloud etc.)?"
honours.cabinetoffice.gov.uk

IP address - 35.187.113.57

A public-facing website to showcase the work of the Honours Secretariat

Login only for editors and admin to update the site pages (add news stories, events etc) and plugins. Approx 30 pages so far.

WordPress offers 7 user role types but we will only be using Administrator and Editor for this site.

Hosted with WPEngine (dedicated/managed WordPress hosts)
13. "Optional
Which programming language(s) is the application written in?
Which platform(s) is the web server running?"
"WordPress site. PHP, MySql, HTML, CSS, Javascript, JQuery

Hosted with WPEngine - https://wpengine.com/"
14. "Web API services (if applicable)

What is the business purpose of this web service?
How many web service endpoints are there in scope?
What are the number of functions per web service?
Is the Web Service specification/documentation available for scoping and/or testing purposes?
What technology are the web services using? (e.g. HTTP – SOAP/RESTFUL or Non-HTTP)
Do the web services require authentication?
Are the web services consumed by normal usage of an application?"
"API- not applicable

A public-facing website to showcase the work of the Honours Secretariat
Website address:
https://honours.cabinetoffice.gov.uk

Fairly basic WordPress website - no forms, no registration necessary for users. Most pages are text and images. Some embedded videos.

Login for website admin and editors - https://honours.cabinetoffice.gov.uk/wp-admin"
15. In your response to Q4 you state CREST is a requirement, but then in your response to Q10 you indicate CREST and CHECK are a requirement. Please clarify whether BOTH are mandatory or whether CREST only applications will qualify.
We need CREST approved test provided by a CHECK approved company.
16. Based on your response to question, please can you confirm if this is a CHECK test or not.
We need CREST approved test provided by a CHECK approved company.
17. Please can you confirm if CHECK certification is an essential requirement or whether other certifications such as CREST are acceptable.
We need CREST approved test provided by a CHECK approved company.
18. Clarification on previous question: Are you able to provide a link to the current build now in your answer so that we’re able to review and use for our proposal? Or are you planning to provide this to the shortlisted applicants that get into the next round?
This will be provided to shortlisted candidates only.
19. "Answers to previous Q&A say you are looking for a price, ie 5x the day rate we quote.

Please can you confirm that you are looking for a single “point-in-time” test after which our work is completed. A supplier could retest if a deficiency is found provided this was remediated with say a fortnight of the initial test, but ongoing repeat testing is a different requirement altogether."
Yes, that's correct. We're looking for a single 'point-in-time' test. (And possible repeat depending on the results, but not ongoing repeats.) Thanks.
20. Please can you confirm that your understanding of the PenTest’ers role is to test. Remediation is not the PenTest’ers responsibility and that corrective action, if necessary, is taken by others.
Yes, we looking for Pen Test only.