05 Oct 2018

Web Application Penetration Test Copy

Type of document: Contract Notice
Country: United Kingdom

2. Awarding Authority: Service Complaints Ombudsman for the Armed Forces, GB. Web:
3. Contract type: Service contract
4. Description: You will be required to carry out number of advanced manual tests with automated vulnerability scans to ensure every area of our website and application forms are tested.
5. CPV Code(s): 48986000, 72254000, 72820000, 72212000, 72200000, 72262000
6. NUTS code(s): UKI, UKI1, UKI11, UKD52
7. Main site or location of works, main place of delivery or main place of performance: London
Address where the work will take place: Our supplier Connect that manages the website is located within Liverpool. However, the OSCO is based in London. The work will be conducted within London.
8. Reference attributed by awarding authority: Not provided.
9. Estimated value of requirement: Not provided.
10. Closing date for applications 17.10.2018 (23:59).
11. Address to which they must be sent: For further information regarding the above contract notice please visit
12. Other information: Deadline for asking questions: Wednesday 10 October 2018 at 11:59pm GMT
Specialist role: Cyber security consultant
Who the specialist will work with You will be working with our supplier who developed the website and the Communications Team within the Service Complaints Ombudsman’s office.
What the specialist will work on The security of our website and applications is of paramount importance to business continuity and integrity. Therefore we require penetration testing to provide visibility of the risks associated with our organisation’s application components, identify vulnerabilities that may occur, how they can be exploited to extract data or take control of our applications.
Our objective is to understand how the website forms deals with the following:
data entered by users
identify any weak access controls
minimal loss of productivity
allow us to assess our security posture
prevent disclosure of confidential information
complies with regularity requirement and legislation
Working arrangements We have a good working relationship with our supplier who we can reach 5 days a week, Monday- Friday, if need be. Therefore, we would expect the same with the service provider that we select.
Security clearance CREST Certified
Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.
Essential skills and experience
identify and fix potential vulnerabilities in your web applications
identify any weak access controls
Prevent loss of productivity
allow us to assess our security posture
prevent disclosure of confidential information
complies with regularity requirement and legislation (PCI DSS and ISO 27001)
Provide data entered by users
How suppliers will be evaluated
How many specialists to evaluate : 5
Cultural fit criteria
Work as a team with our organisation and other suppliers
Be transparent and collaborative when making decisions
Have a no-blame culture and encourage people to learn from their mistakes
Take responsibility for their work
Share knowledge and experience with other team members
Can work with clients with low technical expertise
Assessment methods
Work history
Evaluation weighting
Technical competence
Cultural fit