The objective of this document is to invite CESG approved companies, who have CHECK Scheme approved consultants (i.e. classified as Green) with web application security experience, to tender for the provision of web application security testing services.
The Health and Safety Executive for Northern Ireland (hereafter abbreviated to HSENI) are currently reviewing the information assurance security applied to all public facing online forms. All public facing online forms are to be subject to an application level security health check (or penetration test).
The Executive’s online forms are a key channel for communicating with its stakeholders and the general public and it has also increasingly become a key means of providing transactional and interactive services to the public.
The desired outcome of this exercise is to provide assurance that the Executive’s online forms are protected from penetration and compromise from intruders. The Departmental Security Officer for the Department of Enterprise, Trade & Investment (DETI) wishes to have any security vulnerabilities within online forms identified, quantified in terms of risk/impact and advice provided on remedial action. It is envisaged that securing vulnerabilities and reducing risks will lead to a reduction in the likelihood of:
• Phishing attacks that can exploit vulnerabilities, particularly cross-site scripting, and weak or non-existent authentication or authorisation checks;
• Privacy violations from poor validation, business rule and weak authorisation checks;
• Identity theft through poor or non-existent cryptographic controls, remote file include and authentication, business rule, and authorisation checks;
• Systems compromise, data alteration, or data destruction attacks via Injections and remote file include;
• Financial loss through unauthorised transactions and Cross Site Request Forgery attacks;
• Reputation loss through exploitation of any of the above vuln