IFES шукає надавача послуг з впровадження та перевірки результативності Електронної системи декларації фінансів політичних партії в Україні.
In the framework of the support to the National Agency for the Prevention of Corruption (hereinafter “NAPC”), IFES seeks services of an experienced company or a private entrepreneur (hereinafter “Provider”) to perform the services of the penetration and performance testing of the Electronic Party Finance Declaration System in Ukraine (hereinafter “System”). The System is being built by the company (hereinafter “Developer”) contracted by IFES and upon completion will be used by the NAPC.
SCOPE OF WORK
Penetration Testing
The Provider will have to perform the penetration testing of the System remotely, identify the system weaknesses in terms of cybersecurity, and provide a detailed technical report and a report for management on the vulnerabilities of the system. The technical report should include used methodology of testing, a list of risks found ranked by severity, and a threat mitigation plan. During the test, the attack vectors should include all types of seed user roles (or lack thereof) making sure that there’s no jailbreak from less privileged to a more privileged user. Testing shouldn’t cover social engineering. The reports should be delivered to NACP and the Developer in a paper format or electronically with sufficient encryption.
The detailed description of the tasks is as follows:
- The penetration testing must cover all network-connected components, operating systems, middleware, storage area network (SAN, up to two systems), network-attached storage (NAS, up to two systems), databases, and application servers which comprise the target of the test System and might include encryption hardware and hardware designated to apply QES;
- The Penetration Testing must be conducted in a Gray-box. Technical documentation and source codes of the System will be provided. A subset of infrastructure components will be provided as well for configuration review to assure the effectiveness of encryption, disaster recovery, and physical security controls;
- Configuration of the intrusion detection system, network equipment, firewalls, and antimalware solution should be analyzed to assure its effectiveness and confidentiality/integrity protection of logs and settings;
- System architecture must be analyzed to identify single-points of failures or other continuity and security deficiencies;
- Schedule of all testing activities should be planned and agreed with NAPC and developer upfront;
- The Provider must agree with the NAPC on any critical/risky operations during the test;
- Application-level testing must include at minimum requirements from application security verification standards;
- Network-level testing should include layer 2 attacks;
- Network-level testing should verify the security of all protocols in use;
- Local privilege escalation must include all applicable techniques for the target;
- The Provider shall conduct Penetration Testing service following appropriate industry-wide, highly recognized methodologies and standards, such as:
○ Penetration Testing Execution Standard (PTES)
○ Open Web Application Security Project (OWASP)
- The Provider shall follow the most recent version of the methodologies and standards when conducting penetration testing;
- Test flow must target at least OWASP Top 10 vulnerabilities.
Testing should be repeated once the Developer processes the report and fix found vulnerabilities, to make sure the mitigations and fixes were applied correctly and no new vulnerabilities are introduced while doing so.
All information about software and hardware architecture of the System, details of implementation, source code, internal documentation, and findings reached during the testing should be covered by a non-disclosure agreement (NDA), signed multi-laterally before the beginning of the test.
Performance Testing
The Provider will have to conduct performance testing of the System to determine the performance and scalability of the System, it’s behavior under the peak load, and the limits of the System. The Provider should also prepare a detailed technical report that includes:
- Used methodology;
- Identified bottlenecks and thresholds of a break;
- Description of system behavior under extreme loads and it’s recoverability;
- Key performance metrics of the System;
- General recommendations on mitigation of the risks found during performance testing;
- List of user scenarios that were used during testing.
The user scenarios must include:
- Editing of the party report draft by multiple users;
- Signing and submission of the party report;
- Access to the depersonalized information from submitted reports via the public website, including search, filtering, and access to detailed information of reports;
- Access to the depersonalized information from submitted reports via API;
- Access to personalized data using analyst role including, search, filtering, and downloading of reports in Excel format;
- Mixed usage scenarios, which include more than one scenario described above.
Testing should be repeated once the Developer processes the report and fix found vulnerabilities, to make sure the mitigations and fixes were applied correctly and no new vulnerabilities are introduced while doing so.
In addition, the Provider should transfer the source codes of scenarios or image of a virtual machine that might be used later by the NAPC to conduct performance testing after major changes to the codebase of the System or changes in hardware/infrastructure used by the System. A short user manual or training on how to run performance testing is also required.
The test environment will be deployed at the NAPC data center and will be configured in a production-like way. The development team can amend any authentication/ authorization/ signing routines of the system, so the Provider must account for that during the planning and design phase.
The test environment can be pre-populated with the test data and various user accounts.
The load generating infrastructure should be hosted within Ukraine or on any global cloud computing infrastructure provider.
DELIVERABLES:
- A detailed technical report on the vulnerabilities of the system that includes a threat mitigation plan – based on the results of the penetration testing;
- A detailed technical report on the vulnerabilities of the system that includes a threat mitigation plan – based on the results of the performance testing;
- A management report about the main vulnerabilities of the system – based on the results of the penetration and performance testing;
- Source codes of scenarios or image of a virtual machine that might be used later by the NAPC to conduct performance testing after major changes to the codebase of the System or changes in hardware/infrastructure used by the System;
- A user manual on how to run performance testing.
BIDDERS QUALIFICATIONS REQUIREMENTS
Qualifications:
- Previous experience in conducting penetration and performance testing of similar scope;
- Highly qualified staff/specialists with an appropriate professional background;
- Ability to provide a list of clients and contact information about each of them;
- An officially registered status according to Ukrainian law.
Applicants should submit the following documents:
- A detailed technical proposal for the implementation of the required services;
- Suggested cost of activities (total amount in UAH with a detailed breakdown for each type of activities and applicable taxes);
- Information on previously completed services of similar scope and a brief description of the used technologies;
- Information about the team assigned to the task, including CVs of its members and their valid certificates that demonstrate the appropriate qualification of the project team members;
- Official documents of the company confirming the registered status of the applicant.
Interested candidates are invited to submit their proposals in English to Maksym Palamarchuk ([email protected]) with the “Penetration and performance testing of the Electronic Party Finance Declaration System in Ukraine” in the subject line. The deadline for applications is COB, May 03, 2020 (Kyiv time).
Коментарі