rfp-60-21-02 – network penetration and vulnerability ... · • during the penetration testing no...

RFP-60-21-02 – Network Penetration and Vulnerability Testing

Questions & Answers

1. What URLs are to be tested? • The External Web Application Security Assessment will have a URL to be tested. It will

be shared with the contracted vendor.

2. How many web pages exist (both static and dynamic)? • The External Web Application has about 100 dynamic pages and 1 static page.

3. Are some of these pages dynamically generated from a subset of core pages? If so, how many

core pages? • All pages are dynamically generated. One application has a summary page that is built

from a subset of 13 core pages.

4. Does the application require any client-side applications (e.g., Flash Player, ActiveX, etc.)? If so, please list.

• No

5. Please list the APIs involved, if any. • None

6. For each API involved, will documentation be available prior to testing?

• NOT APPLICABLE FOR THIS ENGAGEMENT

7. For each API involved, how many endpoints/resources exist to be tested? • NOT APPLICABLE FOR THIS ENGAGEMENT

8. For each API involved, how many methods/verbs does each endpoint accept?


9. For each API involved, how many arguments/variables does each endpoint expect on average? • NOT APPLICABLE FOR THIS ENGAGEMENT

10. For each API involved, in what format is it expecting and returning data (e.g., JSON, XML, etc.)?


11. How many different user levels are there? • Up to 4

12. How many user levels do you want to be tested?

• All

13. Do you want us to make sure that one level of logon can/cannot access information intended for another level?

• Yes

14. Do you want data integrity verified between different user levels? • No

15. Is the application Internet/externally accessible?

• Yes

16. Do you want black-box (unauthenticated) or white-box (authenticated) testing? • Black-Box for the Pentest and White-Box for the External Web Application Security

Assessment

17. What version of Windows Server is in use? • This is an External Pentest and an External Web Application Security Assessment. It is

expected that the vendor would be able to find and document this information as part of the test.

18. What version of Linux is used (e.g., RED HAT, SUSE, etc.)? • This is an External Pentest and an External Web Application Security Assessment. It is

expected that the vendor would be able to find and document this information as part of the test.

19. Are there any devices using iOS? • This is an External Pentest and an External Web Application Security Assessment. This

question falls outside of the scope of this work.

20. How many Virtual Machines are in use, if any? • This is an External Pentest and an External Web Application Security Assessment. This


21. Does SURS use a standard build for Windows 10 (7) and Mac devices, if any?

• This is an External Pentest and an External Web Application Security Assessment. It is expected that the vendor would be able to find and document this information as part of the test.

22. Are employees permitted to bring their own devices? • NOT APPLICABLE FOR THIS ENGAGEMENT

23. Is an MDM in place?


24. Are SURS employees allowed to work remotely? What appliance is used to facilitate this? • NOT APPLICABLE FOR THIS ENGAGEMENT

25. What type of firewalls, routers, and switches are deployed?

• This is an External Pentest and an External Web Application Security Assessment. It is expected that the vendor would be able to find and document this information as part of the test

26. Does SURS use any open source software? Is there an inventory of every instance and version? • This is an External Pentest and an External Web Application Security Assessment. This


27. Does SURS utilize any cloud IaaS? • This is an External Pentest and an External Web Application Security Assessment. This


28. What switches are being used (are they managed)? • This is an External Pentest and an External Web Application Security Assessment. It is

expected that the vendor would be able to find and document this information as part of the test

29. What standard antivirus software has SURS deployed? • NOT APPLICABLE FOR THIS ENGAGEMENT

30. Which brand of firewall (e.g., Cisco) is being used by SURS?

• This is an External Pentest and an External Web Application Security Assessment. It is expected that the vendor would be able to find and document this information as part of the test

31. How many server environments (domains) does SURS utilize? • NOT APPLICABLE FOR THIS ENGAGEMENT

32. Does the network support wireless devices?

• This is an External Pentest and an External Web Application Security Assessment. This question falls outside of the scope of this work.

33. Does SURS develop applications in-house? Which coding standard, if any, is followed? • Yes. Our primary pension admin system is developed in-house, on the iSeries platform.

We utilize a development tool that generates COBOL and RPG code. LANSA is used to generate our web applications. Other tools in use are SQL, native RPG, CLP, queries, data warehouse/BI. We have file, field, and program naming standards, along with coding best-practice standards that we have developed in-house.

34. Is SURS using web applications or any cloud Paas? • NOT APPLICABLE FOR THIS ENGAGEMENT

35. Is the winner of the bid expected to evaluate the security of any of the vendors?

• No

36. Does SURS maintain data flow diagrams that show all data collection touchpoints (e.g., phone in, hard copy application, website, mobile devices) and connections with vendors or other third parties?


37. Does SURS have an incident management process? Does it include steps to determine if incidents rise to the level of a breach under state breach notification laws?


38. Does SURS currently perform tabletop exercises for large-scale incidents? • This is an External Pentest and an External Web Application Security Assessment. This


39. Does SURS have a data classification schedule and access controls designed around it? • Yes

40. Does SURS have a DR site? Hot/warm/cold?


41. If SURS has a DR site, is it in scope for this RFP for assessment? • A DR site would not be in scope for this assessment.

42. What project deadlines do you have?

• We have flexibility with the schedule. This project is budgeted for FY21 which begins July 1, 2020.

43. Are there crucial milestones that the vendors should be aware of? • No

44. Which email systems/platform is used?


45. Regarding the following text from the RFP… • External Web Application Security Assessment • Four applications, only one per year • Up to four roles • 100 Dynamic Pages

Can you clarify whether this would be testing all four applications per year or testing only one application each year?

• Only one of the applications would be tested.

46. Regarding the following text from the RFP… • External Network Penetration and Vulnerability Testing • Class C network, only up to 20 should be accessible to be penetration tested and

scanned for vulnerabilities

Can you clarify whether the number 20 is referring to addresses, networks, devices, or something other?

• Only about 20 total websites, devices, addresses should be in use.

47. Are all four (4) of the in-scope web applications roughly the same in complexity, number of pages, and number of input fields?

• No

48. Is the Network Penetration Testing being performed to meet any specific regulatory or compliance requirement?

• SURS prefers to use the testing methodology issued by NIST Special Publication 800-53 CA-8. This would be from an external source. We will not be testing social engineering attacks in this engagement.

49. Do we need to test only the 20 identified IPs in all from the Class C network subset?

• Testing should be performed on any identified resource. There should be under 20 resources.

50. Regarding the External Network, will the client grant necessary access to perform the activity remotely?

• During the Penetration testing no access will be granted. The Web Application testing will require special access.

51. Please specify the number of subnets and maximum possible IPs in your network for network recon.

• The Penetration testing will be 1-Class C network. Maximum IP’s possible is 256. However, there should be less than 20 resources found.

52. Please specify the approximate lines of code in each application. • Code review will not be part of this engagement.

53. Will the client provision for a licensed automated tool for code analysis or does the responder

need to purchase tool licenses? • SURS will not provide for a licensed automated tool. This will be the responsibility of

the vendor.

54. Are there any APIs associated with each application? If yes, please specify the number of APIs and number of methods for each application.

• See items 5-10

55. Regarding the External Web Application, would a dummy or test account be provided for each login?

• Yes, SURS will provide accounts to be used.

56. Is the client expecting a re-testing to be performed once the vulnerabilities are fixed by the client for each activity in scope?

• SURS would like the opportunity to have this performed.

57. Is the client fine with responder performing all activities remotely? • Yes

58. Are internal and external scans expected to be completed or both?

• The Pentest engagement should be an external scan only.

59. How many web services are to be scanned? • All

60. How many endpoints / internal and external are to be scanned?

• See 46, 49, 51

61. How many networks are you expecting to be included in the scan and the network sizes?

• See 51

62. Do you have a budget for this work? • Yes

63. For the external web application security assessment, there are 4 web applications, but the RFP

states to test one a year for the three-year period. It is our assumption that two will be tested during the first year, and then one each the following two years. Is that assumption correct?

• SURS tests 1 application per year. The selected vendor will not be testing all applications.

64. For the web apps it was noted that there are 4 roles and 100 dynamic pages. Is it safe to assume these apply to all four web applications?

• No, each application has its own unique roles and pages. The numbers, 4 roles and 100 dynamic pages should be the upper end of any of the applications

65. Do you require authenticated and unauthenticated testing of the web apps? • Yes

66. For the code review of the web applications, will a non-production environment be available for

testing? • Code review will not be part of this engagement.

67. In order to better scope the code review, would the System be willing to provide the details of

the codebase using the following: https://github.com/AlDanial/cloc • No

68. Do you prefer a black box or grey box external penetration test?

• Black box testing that simulates an external attacker with no inside knowledge.

69. Do you require denial of service testing? • No

70. Are any of the systems in scope hosted by a third party or cloud service provider?

• No

71. Can vulnerability scans and penetration tests be performed during working hours, or do they need to be performed after hours?

• As long as the test are not running in a manner that would cause a DoS. Performing the work during normal work hours is fine.

72. When does the initial report need to be finalized? • Within 2 weeks of completion.

73. Under the Minimum Qualifications on page 5 of the RFP, it states the firm will have “certified

personnel” performing the pen testing. Does the System require any specific certifications? • No specific certifications, but the following are ideas of the types of certifications we

are looking for: • Certified Expert Penetration Tester (CEPT) • CompTIA PenTest+ • EC-Council Certified Ethical Hacker (CEH) • EC-Council Licensed Penetration Tester (LPT) Master • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) • GIAC Web Application Penetration Tester (GWAPT) • Global Information Assurance Certification (GIAC) Penetration

Tester (GPEN) • IACRB Certified Penetration Tester (CPT) • Certified Application Security Engineer (CASE) • Certified Information Systems Auditor (CISA) • Offensive Security Web Expert (OSWE)

74. Regarding Proposal Content on page 5 of the RFP, what information should be provided under

“Reference Checks”? The only other mention of references is on Appendix C. So please clarify where they should be placed and the information you need.

• Reference Checks in Section V – Proposal Content – Is stating that SURS will conduct its own reference check for each finalist.

• Appendix C: Fee Proposal – References are what you will provide as part of the Proposal Evaluation

75. What is the total number of internal applications? • This is an External Pentest and an External Web Application Security Assessment. This


76. What is the total number of public-facing applications? • All 4 web applications are accessible to the public however all of them also require

authentication to log into the site and gain access.

77. Has the External / Internal Applications gone through QA testing? • Yes

78. How many of the organization’s servers are public-facing?

• This is an External Pentest and an External Web Application Security Assessment. It is expected that the vendor would be able to find and document this information as part of the test.

79. What is the size of the internal network (e.g., hosts, network equipment)? • See questions 46, 49, 51.

80. Are there any mobile applications that your organization uses?

• No

81. What cloud services are being used, if any? • This is an External Pentest and an External Web Application Security Assessment. This


82. What is the preferred and implemented backend technology used by the applications? • This is an External Pentest and an External Web Application Security Assessment. It is

expected that the vendor should be able to find and document this information as part of the test.

83. What technology is used to develop the applications? • SURS utilizes a development tool that generates COBOL and RPG code. LANSA is used

to generate our web applications.

84. Are there any firewalls, DLP, or IDS/IPS implemented? • Yes

85. Is there a dedicated Security Operations Center?

• Yes

86. Was any vulnerability and penetration testing done earlier? • Yes

87. Does the organization have any monitoring and logging procedure (e.g., SEIM implementation)?

• Yes

88. For the application part, which testing methodology is preferred (e.g., black box, white box, grey box)?

• Grey Box

89. Is there any specific standard / compliance that needs to be followed (e.g., OWASP, HIPPA)? • There is not a compliance that needs to be followed but we try to adhere to industry

standards, PCI, HIPPA, SOX, NIST. SURS utilizes the principles of OWASP to help map out security risks.

90. Which software development model is used to develop application (e.g., SDLC, SSDLC,

DevSecOps)? • SDLC

91. Do the applications use any open source plugins, add-ons, or technologies?

• Yes, integration with our counseling appointment scheduling vendor.

92. Does the organization also have Operational Technology which is remotely monitored? • Yes

93. Is there documentation to review the functionalities of the applications to be tested?

• No

94. Is it mandatory to execute the project on-site? Is it possible to execute the project from an offshore location?

• See item 57. The project will be executed from within the U.S.

95. Is this a fixed price project? Or can the work also be done as managed services or time and materials (T&M)?

• Fixed price.

96. Our firm is registered in New York. Do we need to be licensed to conduct business in Illinois? • Regardless of where your organization is registered, as long as you are authorized to

provide services to a customer in the state of IL there should be no issue.

97. Does this project require a static or dynamic code review or both? • Both

98. Will SURS consider a response to a portion of the RFP (e.g., proposal for network testing only or

application assessment only)? • SURS prefers to have vendor provide both parts of the engagement.

99. Does SURS have any incident response (IR) requirements?

• No

100. SURS’ evaluation criteria includes “independence”. Please provide a definition for the “independence” criteria.

• From the Cambridge Dictionary, “the state of wanting or being able to do things for yourself and make your own decisions, without help or influence from other people”. Independence is one of the criteria that SURS will be evaluating.

101. Is SURS willing to allow a non-invasive external port scan to be conducted in advance of proposal submission as a qualification exercise in order to validate public-facing IP ranges and the number of active hosts (i.e. open/listening ports)?

• No

102. Please confirm the URL(s) of the website(s) in scope. • This will be shared with the selected vendor after contracts have been signed.

103. Is SURS seeking authenticated or unauthenticated pen testing of the web application(s) in

scope? • During the Pentest it will be unauthenticated.

104. If SURS is seeking authenticated testing, is SURS willing to provide test user credentials with the

desired privileges (i.e. end user, manager, admin, etc.) in order to qualify size/complexity of the site from an authenticated perspective? The size/complexity (number of dynamic pages, forms/inputs, functional characteristics, etc.) of the site post-authentication will directly impact the required production time and the subsequent costs involved.

• SURS will provide the necessary test user credentials.

105. If SURS is seeking unauthenticated testing, what are the total number of dynamic pages and total number of forms/inputs of the website post-authentication? Please describe the overall functional attributes available to the user perspective that will be tested (links, radio buttons, drop-downs, report generation, etc.)

• See question #45

106. Is web application testing to be conducted against the live production server environment or a test server environment?

• Test

107. If testing is performed on the live production server, are there portions of the site that should not be tested in order to avoid a potential interruption of service?


108. Is SURS willing to disable specific security controls once their effectiveness has been substantiated during testing in order to increase the substance of the testing effort and maximize cost efficiencies?

• To some degree, after testing with security controls in affect, SURS is wiling to whitelist IPs.

109. Regarding the external network, how large is the IP space to be assessed (i.e., range size, how many Class Cs, Class Bs, etc.)? Please provide the subnets/IP addresses.

• See questions 46,49,51. This information will be provided to the contracted vender.

110. Regarding the external network, how may hosts are in scope as part of this assessment (i.e., how many hosts are expected to be live out of the IP space in question 3)?

• See questions 46,49.51.

111. Regarding the external network, are any systems or devices in scope hosted by a third party? • NO

112. How many web applications are in scope?

• See questions 45, 63, 64

113. What is the name of each application? • This information will be provided to the contracted vender.

114. What is the primary function of each application?

• This information will be provided to the contracted vender.

115. What is the type of each application (e.g., Web, Thick-client, etc.)? • Web

116. Is each application available over the Internet? If not, at what location does the testing team

need to be in order to test? • Testing should be over the Internet. If additional methods are needed SURS will work

with vendor.

117. For the application testing, what type of authentication is required (e.g., password, OTP token, certificate)?


118. For the application testing, what is the total number and type of authorization levels in scope for this assessment (e.g., anonymous, admin, workflow)?


119. Is a current application design diagram available for the application architecture including platforms, locations of customer data, network-based controls, etc.?

• No

120. Were the applications purchased from a vendor, developed in-house, or the result of an outsourced development project?

• In-House

121. What languages are used (e.g., C, C++, Java, JSP, ASP, PHP, Perl, Ruby, Cold Fusion) in the applications?

• See question 33

122. What is the development platform (e.g., .Net Visual Studio, Java Eclipse, other) for the

applications? • See question 33

123. Which application server or middleware is used (e.g., Weblogic, Websphere, .Net)?

• See question 33

124. What database server is used for the applications (e.g., MS SQL, Oracle, Sybase, DB2)? • See question 33

125. If web application/client server/mobile device, approximately how many pages/screens accept

user input? • 48

126. If web application/client server/mobile device, approximately how many user input

fields are on each page on average? • 7

127. If web services, approximately how many web service methods are supported? • Yes, one of the web applications has one webservice.

128. If web services, approximately how many total operations are supported? (Because some web

services support multiple operations with a single method, the total number of operations is required to scope. For example, if a single method can support add, modify and delete functionality - that would count as three operations.)

• 2 Operations

129. If web services, approximately how many parameters are supported by each method on average?

• 22

130. If web services, what is the network transport utilized (e.g., Raw TCP, SSL)? • SOAP via SSL.

131. If web application/web services, how many URLs are required to access the application

components? • 1

132. If web application/web services, what is the platform/framework (e.g., ASP.Net, JSF, Servlets,

Struts)? • See questions 45, 63, 64

133. If web application/web services, what other technologies are involved in the web applications’

n-Tier architecture? • See questions 45, 63, 64

134. If selected, can the interviews identified in the Terms and Conditions section on page 11 of the

RFP be performed remotely given the current restrictions on travel due to COVID-19? • We are amenable to anything that can be done remotely.

135. Can all work for SURS under any resulting contract to this RFP be performed remotely?

• Yes

136. Can all meetings with SURS be conducted remotely? • Yes

137. Please confirm that the scope is 20 external active addresses and four web applications to be

tested annually for up to three years. • See questions 45, 63, 64 and 46, 49, 51

138. The scope in the introduction identifies “Four applications, only one per year” but a contract for

a three-year period. Can you clarify what this means in terms of testing and if the testing scope is really one of the four application once per year, leaving one of the applications unassessed during the term of this RFP?

• See question 63

139. In the Introduction to the RFP it states that the contract term if for three years. But it is mentioned that there are four applications to be tested, with only one tested each year. Please provide clarification.

• See question 63

140. For code review, please provide the approximate lines of code and platform used (e.g., .net, php) in each application.

• VB.NET. Approximate lines of code = 300

141. How does your team define success? • Completed on time, on budget, with completion of defined deliverables from the

scope of work.

142. What are the primary drivers of success on this project? What are the goals and objectives? • To identify and validate vulnerabilities, conduct exploitation, categorize risks and rank

severities based on level of threat. Factoring the and potential loss and likelihood of exploitation.

This testing should be performed in a manner that will not disrupt our day-to-day operations.

143. What special instructions or rules of engagement do bidders need to know? • Testing should be performed in a manner that will not disrupt our day-to-day

operations. Industry standard Rules of Engagement dictate that attack vectors, such as Denial of Service (DoS) attacks will not be in scope.

144. What type vulnerability standards are to be included (e.g., NERC, CERT, ISO, HIPAA, Finance)? • See question 89

145. When was your last vulnerability assessment and penetration test completed?

• June 2019

146. What were the findings of the last CVA and penetration test? • NOT APPLICABLE FOR THIS ENGAGEMENT

147. Did you have any significant issues with the last CVA and penetration test? If so, please describe.


148. Are there any known issues or outstanding issues you desire fixed now? If so, please explain. • This information will be provided to the contracted vender.

149. What is the desired start and end date for the vulnerability assessment?

• We don’t anticipate starting before July 1, aside from that we can be flexible with start date. End date predicated on vendor’s project schedule.

150. On a scale of poor, adequate, average, above average, or solid, please rate the following in your organization: (1) IT knowledge and experience in information, application, and network security; (2) Condition/completeness of security policies and procedures; and (3) your internal experience in conducting cyber vulnerability testing.


151. How many people work in your cyber/information security organization? • This information will be provided to the contracted vender.

152. What security monitoring or management software tools do you use?


153. What existing software tools do you use for assessment and penetration testing? • This information will be provided to the contracted vender.

154. How is your network differentiated? Please specify (i.e., test/development/quality assurance, engineering workstation, training, back-up, primary).


155. Which of the networks in the above question should be included in the vulnerability assessment?


156. Are the networks in a single location or multiple? If multiple, please describe. • Single

157. How many IP addresses exist per network?


158. How many cyber assets are included in the assessment total? • See questions 46, 49, 51

159. How many network devices (firewalls, routers, and switches) are included in the assessment?

• 2

160. Is active network vulnerability scanning desired? • Yes

161. Will we be able to connect a laptop to your network and SCADA systems? Will we use external

or client resources (e.g., Nessus)? • No

162. Do you have the budget approved for this work, or will you require assistance to justify the ROI?

• SURS has a budget approved for this work.

163. Can the scans be conducted remotely, or must they be performed at each specified site? • Scans should be conducted remotely

164. Will any of the scans require specific user credentials or will all scans be performed without

credentials? • Yes, the application web testing should be with and without credentials.

165. Will appropriate IT staff be assigned to properly whitelist and respond to any issues in a timely

manner in order to properly perform the desired scans? • Any whitelisting of source IP’s should be setup prior to testing.

166. Do you have any restrictions associated with COVID-19 gatherings?

• SURS offices maybe closed due to COVID-19.

167. Do you have any special agreements with hotels in the area (e.g., standard rates, etc.)?


168. Is the external network meant to be tested annually? With four applications and only one to be tested per year, are only three applications to be tested?

• Correct. This is a 3-year engagement. The selected vendor would only be testing up to 3 web applications. See questions 46, 49, 51 and 45, 63, 64

169. For the external network, can you provide a number of live IPs within the ranges you provided? Is this 20 based upon the RFP information?


170. Please provide a brief summary of what external application is used for. • This information will be provided to the contracted vender.

171. For each external application, what functionality exists before login? What is the approximate

number of pages before login (e.g., login, register, forgot password, etc.)? • See questions 45, 63, 64

172. For each external application, what functionality exists after login? What is the approximate

number of pages after login (e.g., add to basket, payment, write blog post, account management, change password, etc.)?


173. For each external application, how many user roles are there, and what levels of privilege do they have?


174. Where is each application hosted (e.g., cloud, etc.)? • On site.

175. What are the goals for the engagement (e.g., compliance, general interest in increasing security

posture, etc.)? • See question 142

176. What languages are included in the manual code review?


177. Is the expectation for the external assessment to be a vulnerability scan, a penetration test, or both?

• Both

178. The term of the engagement is described as three years in the Introduction section of the RFP. In the same section it is stated that four web applications are to be tested at a rate of one per year. Is this correct? Will the contract term for penetration testing also be for four years or only three?

• See question 168 179. In the Introduction section of the RFP, it states “Class C network, only up to 20 should be

accessible”. To clarify, is this implying that only 20 hosts with one or more services are expected to be exposed to the internet within the target network range(s)?

• Correct see questions 46, 49, 51

180. For the External Network Penetration and Vulnerability Testing, are there any IPS/WAF devices that are configured to automatically blacklist traffic? If so, can these be configured to whitelist source testing traffic as not to restrict/block during testing?

• Yes. After testing with these devices enabled. If IP addresses are available, we could add the addresses in certain situations.

181. For the External Web Application Security Assessment, the RFP states that “Malicious code analysis” and “Manual code review” are required. Will the full code base be provided for each application so that static analysis can be performed in addition to the dynamic/manual penetration testing? If so, can the language and line be provided for each application in scope?

• No

182. For internal penetration testing, how many IPs are in use for each one of the 20 Class C IP ranges?


183. How many “live” IPs are in the 20 Class C subnets? • See questions 46, 49, 51

184. Can you provide an estimated breakdown of the devices that would be included in all Class C

subnets? • No

185. How many physical locations need to be assessed?

• 1

186. How much time will be required to be on-site? • None

187. How many websites are to be assessed?


188. How many external IP addresses are to be assessed?

• See question 46, 49, 51

189. Are there expectations for a particular framework (e.g., NIST, COBIT, ISO)? • See questions 48, 89

190. Does your organization have compliance requirements that should be considered as part of this

assessment? If so, which ones (e.g., PCI, HIPAA, MA 201 CMR, etc.)? • See question 89

191. What steps will be taken if the tester detects a previous or active compromise to systems being

tested? • Any issues that arise during testing should be brought to the attention of the project

sponsor. Logs are to be maintained.

192. When was the last comprehensive penetration testing performed? Are the findings and remediations available?

• See question 145

193. How many users are to be included? • For the application web testing see question 64.

194. Is only one web application per year going to be tested?


195. If only one web application per year is to be tested, are we to bid on the web assessment as a multi-year project?

• Yes

196. Will you accept a hybrid resource model (on-site and offshore) or only fully on-site resource model?

• See question 94

197. Is this a new project or an existing one supported by another supplier? If existing, what would be the transition state and the size of the team?


198. Can we suggest a tool stack or is there a client-recommended tool stack? • NOT APPLICABLE FOR THIS ENGAGEMENT

199. Is there any submission fee for this RFP?

• No

200. Will you accommodate more than one vendor to perform this service?

• See question 98

201. Is there an intrusion detection system (IDS) in place? If so, will we be testing the functionality of the IDS (i.e., will we have to use stealth scanning techniques to determine which traffic is identified by the IDS and which is not)?

• Yes, it is understood that the IDS system will be tested.

202. Is the management of any part of the environment outsourced? • The systems in this scope are not outsourced

203. What is the general purpose of each in-scope web application?


204. Is this engagement being performed to address any specific regulatory standard? • See question 89

205. Based on the scope of 20 Class C networks, how many total services are available from the Internet across these networks? How many are web servers and/or running web services (HTTP and HTTPS)?

• 1 Class C network, up to 20 endpoints. See questions 46, 49, 51

206. Regarding the external network testing, are any of the in-scope web services hosted at a third party? If so, how many third parties with associated number of services? How many third parties will require written approval to test these systems?

• No

207. Regarding the external network testing, is email social (phishing attacks) in scope for the assessment?

• No

208. What coding languages are utilized to develop the web applications that will be tested? Approximately how many lines of code are in use in the applications?

• See question 33. 50,803 lines of code.

209. What is the size of the App, in both Mbytes and lines of code? Are there multiple files per App? • We are not certain of actual size but yes, there are multiple files per App. 50,803 lines

of code

210. Is the App compiled with external libraries? If so, are the external libraries going to be provided? Are the external libraries to be included in the review?

• No, external libraries are not included in the review.

211. For the External Web Application Security Assessment, the RFP states that SURS has four applications and that only one will be assessed per year. Since this RFP is for a three-year annual

project, would SURS desire to have two web applications assessed during one of the three years, or to have the vendor risk-assess which application to not address during the project?


212. The RFP states that “stated firm/individual has certified personnel performing Penetration Testing and Web Application Assessments”. Are there specific certifications desired, or are you looking for the team to have industry-recognized security and penetration testing certifications?

• See question 73.

213. The RFP states that “the proposed fee shall include all costs and expenses for providing the services and equipment as described in this RFP, and any agreed-upon extended warranties that are associated with initial installation”. Is this standard RFP language, or what equipment and warranties would be expected as part of this RFP?

• This is part of our standard RFP.

214. The RFP states “timeline for recommended solution to be implemented.” Is this standard RFP language, or what ‘solution’ is expected as part of this RFP?

• This is part of our standard RFP.

215. The RFP states “following a review of submitted materials, if requested, selected individuals or organizations must be prepared to make a presentation or otherwise participate in an in-person interview in Champaign, IL or in Chicago, IL with SURS staff members and/or members of the SURS Board of Trustees at a date and location to be determined by SURS.” Due to the current circumstances with COVID-19, do you expect to have an in-person presentation or interview as a required part of the selection process, or could this be done remotely, via WebEx, etc.?

• We are amenable to anything that can be done remotely.

216. If the testing is required during non-business hours, can we use offshore resources as long as no data leaves the U.S.?

• Yes, provided no data leaves the US.

217. Will IP address ranges be provided by SURS, or is there an expectation for testers to perform reconnaissance to discover your network ranges and IP addresses?

• SURS will provide the contracted vendor with the address of the class C network.

218. Please confirm if 20 total IP addresses for External Network Penetration and Vulnerability Testing will be scanned each year for vulnerabilities over a three year period.

• This is the expected number of addresses for the next three years.

219. SURS would like to conduct security assessment annually for three years, whereas the requirement for external web application security assessment states “Four applications, only on per year”. Can you please clarify if one web application testing will be conducted annually for

four years or is the expectation to complete the testing of all four web applications within three years?


220. Can you provide a brief description of all four web applications and their functionality? • This information will be shared with the contracted vendor.

221. Are all four web applications accessible from the Internet, or only from the internal SURS

network? If internal only, can SURS provide remote access to reach the web applications for testing, or would testers be required to be on-site to test the applications?

• Applications are accessible from the Internet, however SURS would provide any remote access needed.

222. In reference to “All forms/required documents needed for submitting a request for proposal (RFP) are available on the SURS website at www.surs.org”, can you kindly provide a complete web URL to access these forms?

• https://www.surs.org/sites/default/files/RFP/Network%20Penetration%20and%20Vulnerability%20Testing%20RFP.pdf

223. Please share the complexity of the four applications identified for annual dynamic analysis. • See questions 2,3,4-10,33,64-66,125-133,140,208-210

224. Is source code analysis to be performed for the four applications? If so, please share the

approximate lines of code for each application. • See questions 45, 63, 64

225. Is the scope limited to one application per year, or does it include all four applications yearly?


226. Does SURS have any security testing tools that can be leveraged, or is the supplier expected to bring in the tools required? Please share the details about current security testing tools for infra and applications, if any.

• All tools should be provided by the contracted vendor.

227. Are there any restrictions on the locations or facilities from where the scans can be performed? Does it have to be U.S. only, or are non-U.S. locations (e.g., India) fine?

• See question 94

228. Are there any restrictions on the execution model? For example, does it have to be a dedicated team, or can a shared services model (which helps reduce cost) work?

• No

229. Are there any restrictions on sharing the source code with an offshore team for performing source code analysis?

• No source code is to be shared offshore

rfp-60-21-02 – network penetration and vulnerability ... · • during the penetration testing no...

Documents