Stotles logo
Awarded

Penetration Testing of new website

Published

Supplier(s)

Prism Infosec

Value

900 GBP

Description

Summary of the work Cabinet Office will be launching a website for the honours system and we are seeking a supplier to bid on performing penetration testing. Specialist role Cyber security consultant Expected Contract Length 5 days Latest start date Friday 29 January 2021 Who Speclialist Work With Web developer What Specialists Work On To check the security of new public-facing website, ensuring it will be impervious to malicious actors/hackers. Skills & Experience • Have experience in cyber security • Can provide a web application security assessment Work Location Work can be done remotely Working Arrangments Work can be done remotely. Security Clearance N/A No. of Specialists to Evaluate 3 Cultural Fit Criteria • take responsibility for their work • can work with clients with low technical expertise Evaluation Weighting Technical competence 50% Cultural fit 5% Price 45% Questions from Suppliers 1. Will the incumbent be applying for the role? This is a new website so there is no incumbent performing this testing currently. Please can you advise the indicative day rate? We are asking suppliers to provide their pricing for the project. We have no set day rate. 2. Will the incumbent be applying for the role? This is a new website so there is no incumbent performing this testing currently. 3. Please can you advise the indicative day rate? We are asking suppliers to provide their pricing for the project. We have no set day rate. 4. What penetration test certificates does the buyer require? CREST certification 5. Is there a current incumbent in this role? No 6. Is the website tested & deployed via a pipeline? Can the penetration testing work to be added to the pipeline so that any changes to the website are automatically penetration tested with a security gate to prevent an insecure deployment? No, we don't use a pipeline 7. What is budget for this activity? We are asking suppliers to provide their pricing for the project. We have no set day rate. 8. Are you able to provide access to the current build of the website for us to review? Yes 9. Please can you confirm the following:How many static pages are on the site?How many dynamic/interactive pages are on the site?Is there a user registration/login mechanic?Is there an admin panel/CMS in scope?If an admin panel/CMS is in scope, how many user role types are there? 16 static pages. No interactive pages. Users will not be offered registration, but the site administrator and editors will log into the site here: honours.cabinetoffice.gov.uk/wp-admin. WordPress offers 7 user role types but we will only be using Administrator and Editor for this site. 10. Could you confirm please what certification is required? Specifically is CHECK required? Yes, CHECK and CREST certification are both required 11. Can you please advise on whether there is an incumbent in place and if the role is considered inside of outside of IR35? There is no incumbent. 12. "Web ApplicationWhat is the URL/IP address, if publicly accessible?If not how are the applications accessed?Please give a brief summary on what the application is used for?What functionality exists before login, and approximate number of pages (e.g. login, register, forgotten password)?What functionality exists after login, and approximate number of pages (e.g. add to basket, payment, write blog post, account management – change password)?How many user roles are there and what additional functionality can they access?Where is the application hosted (cloud etc.)?" honours.cabinetoffice.gov.ukIP address - 35.187.113.57A public-facing website to showcase the work of the Honours SecretariatLogin only for editors and admin to update the site pages (add news stories, events etc) and plugins. Approx 30 pages so far.WordPress offers 7 user role types but we will only be using Administrator and Editor for this site.Hosted with WPEngine (dedicated/managed WordPress hosts) 13. "OptionalWhich programming language(s) is the application written in?Which platform(s) is the web server running?" "WordPress site. PHP, MySql, HTML, CSS, Javascript, JQueryHosted with WPEngine - https://wpengine.com/" 14. "Web API services (if applicable)What is the business purpose of this web service?How many web service endpoints are there in scope?What are the number of functions per web service?Is the Web Service specification/documentation available for scoping and/or testing purposes?What technology are the web services using? (e.g. HTTP – SOAP/RESTFUL or Non-HTTP)Do the web services require authentication?Are the web services consumed by normal usage of an application?" "API- not applicableA public-facing website to showcase the work of the Honours SecretariatWebsite address:https://honours.cabinetoffice.gov.ukFairly basic WordPress website - no forms, no registration necessary for users. Most pages are text and images. Some embedded videos. Login for website admin and editors - https://honours.cabinetoffice.gov.uk/wp-admin" 15. In your response to Q4 you state CREST is a requirement, but then in your response to Q10 you indicate CREST and CHECK are a requirement. Please clarify whether BOTH are mandatory or whether CREST only applications will qualify. We need CREST approved test provided by a CHECK approved company. 16. Based on your response to question, please can you confirm if this is a CHECK test or not. We need CREST approved test provided by a CHECK approved company. 17. Please can you confirm if CHECK certification is an essential requirement or whether other certifications such as CREST are acceptable. We need CREST approved test provided by a CHECK approved company. 18. Clarification on previous question: Are you able to provide a link to the current build now in your answer so that we’re able to review and use for our proposal? Or are you planning to provide this to the shortlisted applicants that get into the next round? This will be provided to shortlisted candidates only. 19. "Answers to previous Q&A say you are looking for a price, ie 5x the day rate we quote.Please can you confirm that you are looking for a single “point-in-time” test after which our work is completed. A supplier could retest if a deficiency is found provided this was remediated with say a fortnight of the initial test, but ongoing repeat testing is a different requirement altogether." Yes, that's correct. We're looking for a single 'point-in-time' test. (And possible repeat depending on the results, but not ongoing repeats.) Thanks. 20. Please can you confirm that your understanding of the PenTest’ers role is to test. Remediation is not the PenTest’ers responsibility and that corrective action, if necessary, is taken by others. Yes, we looking for Pen Test only.

Timeline

Publish date

3 years ago

Award date

3 years ago

Buyer information

Explore contracts and tenders relating to Cabinet Office

Go to buyer profile
To save this opportunity, sign up to Stotles for free.
Save in app
  • Looking glass on top of a file iconTender tracking

    Access a feed of government opportunities tailored to you, in one view. Receive email alerts and integrate with your CRM to stay up-to-date.

  • ID card iconProactive prospecting

    Get ahead of competitors by reaching out to key decision-makers within buying organisations directly.

  • Open folder icon360° account briefings

    Create in-depth briefings on buyer organisations based on their historical & upcoming procurement activity.

  • Teamwork iconCollaboration tools

    Streamline sales workflows with team collaboration and communication features, and integrate with your favourite sales tools.

Stop chasing tenders, start getting ahead.

Create your free feed

Explore other contracts published by Cabinet Office

Explore more open tenders, recent contract awards and upcoming contract expiries published by Cabinet Office.

Explore more suppliers to Cabinet Office

Sign up