Agile Security Testing Service
Type of document: Contract Notice
Country: United Kingdom
1. Title: AGILE SECURITY TESTING SERVICE
2. Awarding Authority: Department for Work and Pensions, GB. Web:
3. Contract type: Service contract
4. Description: There is a need to undertake continuous PEN testing/vulnerability assessments of existing and new features within our UC application.
5. CPV Code(s): 72000000, 72260000, 72261000, 72262000, 72263000
6. NUTS code(s): UKI, UKI3, UKI32
7. Main site or location of works, main place of delivery or main place of performance: Location London
Address where the work will take place Caxton House,
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Not provided.
10. Closing date for applications 12.9.2019 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions Thursday 5 September 2019 at 11:59pm GMT
Latest start date Thursday 31 October 2019
Expected contract length This will be a 2 year contract – initial Statement Of Work (SOW) for approximately 6 months.
About the work
Why the work is being done In order to ensure that a key DWP application is able to support scaling and security requirements. In support of an Agile and adaptable programme of deployment, an application PEN testing/vulnerability assessment capability is required to augment the overall vulnerability management process.
Problem to be solved The scaling and security goals for the application have led to a strategy of commodity cloud hosting. There is a need to assess the application (release candidates) for vulnerabilities on an ongoing basis.
Who the users are and what they need to do Universal Credit Claimants will use the application to manage and progress their claim online. DWP Job Centre and Services Centre Agents will use the system to perform their roles in support of the Universal Credit Applicants.
Early market engagement
Any work that’s already been done
Existing team The supplier will be working alongside a multi-disciplinary team. This team consists of internal DevOps, QA, network engineers, Security and delivery / project managers. The team follows agile processes to prioritise and manage the activities.
The successful supplier will work within a multi-supplier team environment.
Current phase Live
Working arrangements On-site in London office for the majority of the time with some scope for remote working. The collaborative nature of the team means that face to face interaction and presence at daily stand-ups is essential.
Expenses are only provided if travel to other DWP offices is required.
Security clearance SC clearance is required for any individual or team who will be working on the project.
Additional terms and conditions
Skills and experience
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Skills and experience
Essential skills and experience
Demonstrate extensive knowledge and experience of secure development best practice such as OWASP and Safecode.
Demonstrate extensive knowledge and experience of undertaking application Penetration tests, using both manual and automated approaches.
Demonstrate extensive knowledge and experience of testing large applications with microservice architectures.
Demonstrate extensive knowledge and experience of testing API’s.
Demonstrate extensive knowledge and experience of testing within Continuous Integration (CI)/delivery pipelines
Demonstrate extensive knowledge and experience of infrastructure as code, particularly Terraform, Puppet and Ansible.
Demonstrate extensive experience of delivering web application security awareness sessions for development staff
Demonstrate knowledge and experience of testing cloud based applications.
Demonstrate knowledge and experience of writing Portswigger Burp Suite Extensions
Demonstrate knowledge and experience of static analysis tools, particularly Fortify Static Code Analyser and BlackDuck.
Demonstrate experience of the Building Security In Maturity Model (BSIMM) framework.
Demonstrate experience of providing CREST Certified Web Application Testers and/or CHECK Team Leader (Web applications) capabilities on testing engagements within agile delivery programmes.
Nice-to-have skills and experience
Experience working with AWS
Ability to provide technical leadership in multi-supplier team environments.
How suppliers will be evaluated
How many suppliers to evaluate 3
Provide details of how you will taylor your service to accommodate the provision of a testing/development capability within the context of vulnerability assessment using agile methodologies
Clarify how your experience will enable you to deliver PEN testing/vulnerability assessment services in this context, clarifying how you will add value, delivery focus and technical leadership
Clarify how you will work with other parallel work streams, ensuring quality standards are maintained
Describe how you will gain at pace, a detailed understanding of the service and project requirements to allow rapid involvement in design and decision activities
Please provide a case study that demonstrates the successfully delivery of a similar project. Don’t include any personal data, eg name, address or contact details.
Cultural fit criteria Based on your past experience, please outline your ability to respond to and align with the culture of the project
Payment approach Fixed price
Assessment methods Written proposal
Questions asked by suppliers
No questions have been answered yet
Log in to ask a question