Service Complaints Ombudsman for the Armed Forces

Web Application Penetration Test copy

Incomplete applications

24
Incomplete applications
19 SME, 5 large

Completed applications

18
Completed applications
15 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 3 October 2018
Deadline for asking questions Wednesday 10 October 2018 at 11:59pm GMT
Closing date for applications Wednesday 17 October 2018 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Specialist role Cyber security consultant
Summary of the work You will be required to carry out number of advanced manual tests with automated vulnerability scans to ensure every area of our website and application forms are tested.
Latest start date Wednesday 17 October 2018
Expected contract length
Location London
Organisation the work is for Service Complaints Ombudsman for the Armed Forces
Maximum day rate

About the work

About the work
Opportunity attribute name Opportunity attribute value
Early market engagement
Who the specialist will work with You will be working with our supplier who developed the website and the Communications Team within the Service Complaints Ombudsman's office.
What the specialist will work on The security of our website and applications is of paramount importance to business continuity and integrity. Therefore we require penetration testing to provide visibility of the risks associated with our organisation's application components, identify vulnerabilities that may occur, how they can be exploited to extract data or take control of our applications.

Our objective is to understand how the website forms deals with the following:
- data entered by users
- identify any weak access controls
-minimal loss of productivity
-allow us to assess our security posture
- prevent disclosure of confidential information
- complies with regularity requirement and legislation

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place Our supplier Connect that manages the website is located within Liverpool. However, the OSCO is based in London. The work will be conducted within London.
Working arrangements We have a good working relationship with our supplier who we can reach 5 days a week, Monday- Friday, if need be. Therefore, we would expect the same with the service provider that we select.
Security clearance CREST Certified

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • identify and fix potential vulnerabilities in your web applications
  • identify any weak access controls
  • Prevent loss of productivity
  • allow us to assess our security posture
  • prevent disclosure of confidential information
  • complies with regularity requirement and legislation (PCI DSS and ISO 27001)
  • Provide data entered by users
Nice-to-have skills and experience

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many specialists to evaluate 5
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Can work with clients with low technical expertise
Assessment methods
  • Work history
  • Reference
Evaluation weighting

Technical competence

70%

Cultural fit

5%

Price

25%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Do applicants need any clearance or CHECK accreditation? Applicants need to have valid accreditations and qualifications that either work for, or apart of, an organisation that is a member of a professional penetration testing body, such as CREST
2. Please can you confirm the latest start date? Is the 17th October correct as the deadline for submission is also the 17th October. The submission deadline for applications is the 17th October. Once the applicant or organisation has been chosen, we would like pen testing to start immediately.
3. What is the envisioned contract length? We expect that the contact length would be based on 3-5 days to complete the web application test
4. What platform is the system built on (ie. development language, any frameworks or proprietary systems, Operating System) ? WordPress. The website has approximately 100 static/dynamic pages.
5. Can you please clarify your 'Essential requirement' of "Provide data entered by Users"? We would like to know whether the personal information entered by users on our application forms are secure, including the files that they upload
6. Are you looking for just the one consultant? or could a consultancy bid and make available multiple resources? A consultant or organisation can bid for the work. However, the quotes should be based on a fixed to conduct the test.
7. Would it be possible to carry out the work remotely rather than on-site in London? We require offsite testing only. All testing conducted remotely.
8. Can you please let me know how many days you will need the security consultant onsite for? The work is to be carried out offsite. The successful applicant will need to conduct testing for a period of maybe 3 days : Test, Report and Retest. Quotations should take this into consideration.
9. What is the maximum day rate for the role? There is no standard day rate. We are looking for price to complete the job.