Penetration Testing of Azure Web Portal
Tender ID: 562844
Tender Details
Tender Description
This Tender is invited by the Issuer.
Key Deliverables and Acceptance of the buyer:
Penetration test requirements:
- Security and vulnerability tests of a Public facing Dynamics 365 Web Portal currently in the production environment
- Testing of associated resources such as the .Net Web API (Azure App Service) used by the portal, and authentication services.
- Provide a list of all stakeholders who will be involved in the penetration tests (including IP address, tenancy IDs and expected user agents) and their roles and responsibilities
- Document all vulnerabilities, severity, and provide a summary recommended remediation steps
- Provide immediate update to Project Manager on any critical outcome/s identified, with other updates to be done regularly
- Provide a written final document of the overall security posture of the web portal. Including:
-Screenshots, code snippets and evidence that identified weaknesses would/could cause actual compromise
-Recommendations for remediation of any discovered flaws, vulnerabilities or issues of the evaluated web portal
-General observations and/or advice regarding future portal security (as other features may be added)
- A walkthrough of the results to the Project Manager & Technical Lead
Methodology requirements:
- Preferred methodology for web applications penetration tests is to use the OWASP ASVS
- Tests include both automated and manual testing by skilled penetration testers
- Testing performed by 3 users with unauthorised privileges, low privileges and high privileges.
- Collaborate with the Project Manager, Business Analyst and Technical Lead to clarify intended system behaviors and supporting business process’
Additional requirements:
Provide a recommended approach for an additional testing rounds to occur.
Once site and system details have been provided, vulnerability and penetration testing will be undertaken offsite from the Department of the Prime Minister and Cabinet (PM&C). PM&C may require the IP addresses of the testers to ensure automated security systems do not block access.
Estimated start date: Monday, 02 September 2024
Initial contract duration: 1 month
Extension term: 1 month
Number of extensions: 1
Location of work: ACT, Offsite