Department of Finance

Penetration testing services

Important dates

Opportunity ID
Deadline for asking questions
Monday 26 February 2018 at 6PM (in Canberra)
Closing date for applications
Thursday 1 March 2018 at 6PM (in Canberra)
Thursday 22 February 2018


Write a summary of your brief

Finance requires penetration testing services for the Organisations and Appointments Register (OAR) and Govdex systems. OAR provides a directory for capturing government body information. Salesforce backend; users update information; Drupal frontend website displays register. GovDEX provides a collaboration environment. Built with a mix of Atlassian products, and custom code.

What is the latest start date?
Mid April 2018
How long is the contract?

90 days

Where can the work take place?
  • Australian Capital Territory
  • Offsite
Who will the specialist work for?
Department of Finance
How much can you spend per day?

About the work

Who will the specialist work with?

Product Owner

Security Team

Web Developers

What will the specialist do?

Suitably qualified and experienced service provider to undertake penetration testing of the OAR and GovDEX systems.

Key Deliverables for each system are:

• Test Plan

• Test the production sites for vulnerabilities, both as an unauthenticated and authenticated user

• Provide a report detailing areas of the website tested or not tested, vulnerabilities found, risks identified and provide recommendations on mitigating the vulnerabilities and risks identified

• A separate report will be required for each system.

Any additional relevant information?

Authentication testing is subject to further discussion with Finance and may occur on the test site to maintain the integrity of the production data.

Finance may require retesting of High / Medium vulnerabilities within the scope of this service to verify implemented remediation’s.

Finance will provide relevant documentation for this consultancy including high level design documentation.

Work setup

Where will the work take place?

1 Canberra Ave, Forrest, ACT 2603

What are the working arrangements?

In person at the office for the kickoff meeting. However from then on, over the telephone is acceptable.

Proposed Schedule:

Penetration testing kickoff meeting: March 2018


• Penetration testing commences: March 2018

• Assessor to provide draft report: March 2018.

• Assessor to provide final report: March 2018


• Penetration testing commences: April 2018

• Assessor to provide draft report: April 2018.

• Assessor to provide final report: April 2018

CVs of nominated staff are to be included with the proposal. Pricing for a Time and Materials assignment to be stated.

Is security clearance required?

Commonwealth Baseline clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate sellers’ technical competence.

Essential skills and experience
  • Expertise, qualifications and demonstrated experience (last 12 months) of the personnel undertaking the services. Personnel must: i. Have conducted penetration of web based systems.
  • ii. Be familiar with Australian Government security standards (i.e. Protective Security Policy Framework and ISM) and industry best practice.
  • iii. Demonstrated knowledge and understanding of security issues relating to online services.
  • iv. Provide information on relevant qualifications held
  • Describe the proposed high-level approach to conducting penetration testing.
  • Ability to complete the services in a timely manner.
Nice-to-have skills and experience
Understanding of Drupal, Atlassian and Salesforce technology (not essential)

How sellers will be evaluated

How many specialists will you evaluate?
Cultural fit
Area of expertise
Cyber security
How will you verify the specialist is right for the role?
  • Work history
  • References
How will you evaluate the specialists?

Technical competence

Cultural fit


Seller questions

Seller questions
Seller question Buyer answer
1. Testing will require a baseline security clearance, is the department willing to sponsor clearances? For this engagement and timeframe it is expected that suppliers will have a current clearance.
2. 1) Are you able to provide a testing environment that mirrors the production environment, so that sensitive data/systems are protected during testing? 2) Is the Organisations and Appointments Register (OAR) an internal application, hence the requirement for onsite testing? If not, why is onsite testing required for the authenticated components? 3) Can you provide any more information about the web applications e.g. Number of forms, static or dynamic pages, different roles etc.) 1) As stated in the approach to marked authentication testing “may occur on the test site to maintain the integrity of the production data”. This will be subject to further discussion with Finance on execution of the contract. 2) The requirement for onsite testing for OAR is due to firewall rules. 3) User roles in GovDEX: Pages are as per Confluence and JIRA. User roles in OAR: There are 9 Visual Force pages, 3 standard objects, 10 custom objects, and 108 Organisation components. Drupal frontend public website.
3. 2) Is the Organisations and Appointments Register (OAR) an internal application, hence the requirement for onsite testing? If not, why is onsite testing required for the authenticated components? Further clarification to the question, as per the brief overview the work can be conducted offsite. This includes outside the ACT.

Interested in this opportunity?

Before you can apply for this opportunity, you need to:

  1. Register to join the Marketplace.
  2. Submit a case study and pricing for Cyber security and check your documents are up-to-date.
  3. Request an assessment of your case study for Cyber security.