Awarded to Agenci Ltd.

Start date: Monday 20 November 2017
Value: £83,000
Company size: SME
Department for Work and Pensions

DWP - Agile Security Testing

11 Incomplete applications

5 SME, 6 large

8 Completed applications

3 SME, 5 large

Important dates

Friday 11 August 2017
Deadline for asking questions
Friday 18 August 2017 at 11:59pm GMT
Closing date for applications
Friday 25 August 2017 at 11:59pm GMT


Summary of the work
There is a need to undertake continuous PEN testing/vulnerability assessments of existing and new features within the application. Additionally to automate security testing within a CI/CD environment.
Latest start date
Monday 11 September 2017
Expected contract length
2 year contract - initial Statement of Work for 4 months
Organisation the work is for
Department for Work and Pensions
Budget range

About the work

Why the work is being done
In order to ensure that this key DWP application is able to support the scaling and security requirements, it is being re-engineered for resilience and to allow it to operate in a commodity cloud hosting environment. In support of this, an Agile and adaptable programme of PEN testing/vulnerability assessment is required to enable the overall vulnerability management process.
Problem to be solved
The scaling and security goals for the application have led to a strategy of commodity cloud hosting. There is a need to assess the application (release candidates) for vulnerabilities on an ongoing basis, additionally to automate security testing.
Who the users are and what they need to do
Universal Credit Claimants will use the system to mange and progress their claim online.
DWP Job Centre and Services Centre Agents will use the system to perform their roles in support of the Universal Credit Applicants.
Early market engagement
Any work that’s already been done
Work to deliver a Minimum Viable Product (MVP) is concluding.
Existing team
The supplier will be working as a part of a multi-disciplinary team dedicated to the work to migrate the service to a commodity cloud platform. This team consists of internal DevOps, QA, network engineers, Security and delivery / project managers. The team is 10 strong and follows agile processes to prioritise and manage the activities.
Current phase

Work setup

Address where the work will take place
Caxton House, Tothill Street, London, SW1H 9NA
Working arrangements
On-site in London office for the majority of the time with some scope for remote working. The collaborative nature of the team means that face to face interaction and presence at daily stand-ups is essential.
Security clearance
Security Check (SC) Clearance.

Additional information

Additional terms and conditions
DWP additional terms and conditions are specified on our e-procurement system Bravo;

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of undertaking vulnerability assessment and PEN tests, for highly resilient, highly available applications - 5%
  • Extensive, demonstrable knowledge of system security vulnerabilities and remediation techniques. - 5%
  • Experience of introducing/undertaking both automated and manual application PEN testing/vulnerability assessment. - 5%
  • Experience of PEN testing/vulnerabilty assessment within Agile enviroments with Coninuous Integration (CI) pipelines. - 5%
  • Experience of testing applications with large microservice architectures, including API testing. - 5%
  • Experienced CHECK and or CREST certified Application Tester. - 5%
  • Capacity to supply, experienced PEN Tester with technical skills (>3 years’ experience) in Terraform, puppet, github, bash, python, java, Mongo, ActiveMQ, microservice architectures, commodity cloud environments. - 5%
  • Have experience of working within DWP or a comparable organisation within the last 3 years - 4%
Nice-to-have skills and experience
  • Ability to provide technical leadership in multi-supplier team environments. - 3%
  • Experience working with AWS - 3%

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • Provide details of how you will taylor your service to accommodate the provision of a testing engineering/development capability within the context of vulnerability assessment using agile methodologies. - 6%
  • Clarify how your expierence will enable you to deliver PEN testing/vulnerability assessment services in this context, clarifying how your resources will add value, delivery focus and technical leadership.- 6%
  • Clarify how your resources will work with other parallel work streams, ensuring quality standards are maintained-6%
  • Describe how you will gain at pace, a detailed understanding of the service and project requirements to allow rapid involvement in design and decision activities-6%
  • Describe what processes you will use for the identification of risks and dependencies and the approaches to manage them- 6%
Cultural fit criteria
Based on your past experience, please outline your ability to respond to and align with the culture of the project -5%
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Will the role fall within IR35 legislation?
At this time the role has been deemed as outside of IR35 however, should the features of the engagement change, a further assessment will be made which could change the determination.
2. Could the Authority please clarify if they wish specialists permanently embedded within the current team for the duration of the contract? Or are you looking for resources to be brought in on an ‘as required’ basis?
We require the resource(s) embedded within the programme for the duration of the initial Statement of Work (4 months). The expectation is that this will also be the case for any subsequent activity (through Statements of Work).
3. Are other equivalent qualifications (of CHECK technical competency) considered e.g. Tiger or Cyberscheme?
We require a CHECK and/or CREST qualified Application Tester for this engagement.
4. Please could you advise on the number of FTEs you are expecting?
For the initial SOW we anticipate one FTE, however any subsequent SOWs will be agreed at the time.
5. Please can you advise if you would be content for the team to be rotated during the 2 year engagement?
Provided that the skillset and experience of the resources will meet the defined requirements in a way that the outcomes can be met, we are content for rotation.
6. Is the use of third parties acceptable as part of our offering?
We would expect the Potential Suppliers to be able to fulfil the Outcome themselves. However we would not exclude any offers on the basis of using sub-contractors if the requirements could still be met.
7. What is the type of application developed (Services, API's, Web based, etc.) and what is the current maturity of the application in terms of functional design, development and deployment?
This is a web based application using a microservices architecture. There are a number of API’s therefore.
8. What is the future roadmap for the application?
Agile working practices are in place, so the application will evolve as new requirements are identified.
9. What are the tooling involved in the CI/CD platform?
The majority of tooling in place is articulated within the requirements provided in this advert.
10. What is the current team size of security team for the application?
The existing Secure Design team is compromised.
11. Is DWP looking to create a central security test team to continuously be accountable for all security tests across sprints?
DWP is looking to complement its existing team of security professionals as opposed to creating a new team.
12. Since Automated Security Testing requires tools, which tools will be used?
DWP will look to the supplier to play a role in identifying and introducing relevant tools.
13. For outcome based FTE commercial model, what are the outcomes which the agile project team is looking for apart from finding the vulnerabilities in the application? - Are there any predefined KPI's?
We will be looking to finalise Key Deliverables once we have had a chance to analyse Potential Provider’s offerings.
However, the primary outcome is to test features within the service that have been identified for testing. Activity is tracked/signed off via our ticketing system.
14. Is network level performance test in scope?
The scope of the initial SOW is to focus upon Application testing.
15. What is the anticipated number of FTE's that DWP would require in the subsequent SOW's - after the initial SOW of 4 months?
The Authority has not yet decided what future SOW’s will look like. We will be looking to have the initial SOW as specified in the requirements, and any subsequent SOWs will be agreed at a later date.
16. What is the current team size of security team for the application?
The existing Secure Design team is comprised of a number of security professionals with varied skill sets, encompassing, security engineers, architects and GRC specialists.