Awarded to NTA Monitor Ltd.

Start date: Monday 17 December 2018
Value: £2,550
Company size: SME
Service Complaints Ombudsman for the Armed Forces

Web Application Penetration Test copy

24 Incomplete applications

19 SME, 5 large

18 Completed applications

15 SME, 3 large

Important dates

Wednesday 3 October 2018
Deadline for asking questions
Wednesday 10 October 2018 at 11:59pm GMT
Closing date for applications
Wednesday 17 October 2018 at 11:59pm GMT


Specialist role
Cyber security consultant
Summary of the work
You will be required to carry out number of advanced manual tests with automated vulnerability scans to ensure every area of our website and application forms are tested.
Latest start date
Wednesday 17 October 2018
Expected contract length
Organisation the work is for
Service Complaints Ombudsman for the Armed Forces
Maximum day rate

About the work

Early market engagement
Who the specialist will work with
You will be working with our supplier who developed the website and the Communications Team within the Service Complaints Ombudsman's office.
What the specialist will work on
The security of our website and applications is of paramount importance to business continuity and integrity. Therefore we require penetration testing to provide visibility of the risks associated with our organisation's application components, identify vulnerabilities that may occur, how they can be exploited to extract data or take control of our applications.

Our objective is to understand how the website forms deals with the following:
- data entered by users
- identify any weak access controls
-minimal loss of productivity
-allow us to assess our security posture
- prevent disclosure of confidential information
- complies with regularity requirement and legislation

Work setup

Address where the work will take place
Our supplier Connect that manages the website is located within Liverpool. However, the OSCO is based in London. The work will be conducted within London.
Working arrangements
We have a good working relationship with our supplier who we can reach 5 days a week, Monday- Friday, if need be. Therefore, we would expect the same with the service provider that we select.
Security clearance
CREST Certified

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • identify and fix potential vulnerabilities in your web applications
  • identify any weak access controls
  • Prevent loss of productivity
  • allow us to assess our security posture
  • prevent disclosure of confidential information
  • complies with regularity requirement and legislation (PCI DSS and ISO 27001)
  • Provide data entered by users
Nice-to-have skills and experience

How suppliers will be evaluated

How many specialists to evaluate
Cultural fit criteria
  • Work as a team with our organisation and other suppliers
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Can work with clients with low technical expertise
Assessment methods
  • Work history
  • Reference
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Do applicants need any clearance or CHECK accreditation?
Applicants need to have valid accreditations and qualifications that either work for, or apart of, an organisation that is a member of a professional penetration testing body, such as CREST
2. Please can you confirm the latest start date? Is the 17th October correct as the deadline for submission is also the 17th October.
The submission deadline for applications is the 17th October. Once the applicant or organisation has been chosen, we would like pen testing to start immediately.
3. What is the envisioned contract length?
We expect that the contact length would be based on 3-5 days to complete the web application test
4. What platform is the system built on (ie. development language, any frameworks or proprietary systems, Operating System) ?
WordPress. The website has approximately 100 static/dynamic pages.
5. Can you please clarify your 'Essential requirement' of "Provide data entered by Users"?
We would like to know whether the personal information entered by users on our application forms are secure, including the files that they upload
6. Are you looking for just the one consultant? or could a consultancy bid and make available multiple resources?
A consultant or organisation can bid for the work. However, the quotes should be based on a fixed to conduct the test.
7. Would it be possible to carry out the work remotely rather than on-site in London?
We require offsite testing only. All testing conducted remotely.
8. Can you please let me know how many days you will need the security consultant onsite for?
The work is to be carried out offsite. The successful applicant will need to conduct testing for a period of maybe 3 days : Test, Report and Retest. Quotations should take this into consideration.
9. What is the maximum day rate for the role?
There is no standard day rate. We are looking for price to complete the job.