HSENI - Online Forms Security Health Check

Buyer: Department of Finance and Personnel Northern Ireland


Share this: Share this page using Twitter Share this page using LinkedIn Share this page using Facebook Share this page using Google Share this page using email



Description:
Description:
The objective of this document is to invite CESG approved companies, who have CHECK Scheme approved consultants (i.e. classified as Green) with web application security experience, to tender for the provision of web application security testing services.


2. BACKGROUND

The Health and Safety Executive for Northern Ireland (hereafter abbreviated to HSENI) are currently reviewing the information assurance security applied to all public facing online forms. All public facing online forms are to be subject to an application level security health check (or penetration test).

The Executive’s online forms are a key channel for communicating with its stakeholders and the general public and it has also increasingly become a key means of providing transactional and interactive services to the public.

The desired outcome of this exercise is to provide assurance that the Executive’s online forms are protected from penetration and compromise from intruders. The Departmental Security Officer for the Department of Enterprise, Trade & Investment (DETI) wishes to have any security vulnerabilities within online forms identified, quantified in terms of risk/impact and advice provided on remedial action. It is envisaged that securing vulnerabilities and reducing risks will lead to a reduction in the likelihood of:

• Phishing attacks that can exploit vulnerabilities, particularly cross-site scripting, and weak or non-existent authentication or authorisation checks;

• Privacy violations from poor validation, business rule and weak authorisation checks;

• Identity theft through poor or non-existent cryptographic controls, remote file include and authentication, business rule, and authorisation checks;

• Systems compromise, data alteration, or data destruction attacks via Injections and remote file include;

• Financial loss through unauthorised transactions and Cross Site Request Forgery attacks;

• Reputation loss through exploitation of any of the above vuln

Country:
Country:
United Kingdom

Published:
Published date:
Jan 01 1900

Deadline:
Deadline:
Feb 03 2012

Contact:
Contact:
McConnell Alan

Email:
Email:
Alan.McConnell@dfpni.gov.uk




OC ID:
Open Contracts ID:

Saved on:
Saved on:

Source ID:
Source ID:
15462


Mail icon: Send an email to Open Opps Twitter logo: Open Opps Twitter page LinkedIn logo: Open Opps LinkedIn page Facebook logo: Open Opps Facebook page


Open Contracting Logo   Open Data Logo