Cert-in Empaneled Auditing Organisations for Security Audit of Web and Mobile Applications Tender

Procurement Summary

State : Delhi (NCT)

Summary : Cert-in Empaneled Auditing Organisations for Security Audit of Web and Mobile Applications

Deadline : 22 Mar 2023

Other Information

Notice Type : Tender

TOT Ref.No.: 80476614

Document Ref. No. :

Financier : Self Financed

Purchaser Ownership : Public

Document Fees : Refer Document

Tender Value : Refer Document

EMD : Refer Document

Purchaser's Detail

Name :Login to see tender_details

Address : Login to see tender_details

Email : Login to see tender_details

Login to see details

Tender Details

Request for proposals are invited for Cert-in Empaneled Auditing Organisations for Security Audit of Web and Mobile Applications Founded in 1999, India HIV/AIDS Alliance is a not-for-profit operating in partnership with civil society, government and communities to support sustained responses to HIV in India that protect rights and improve health. Complementing the country Programme, we build capacity, provide technical support and advocate to strengthen the delivery of effective, innovative, community-based HIV programmes to vulnerable populations affected by the epidemic. More www.allianceindia.org The proposed RFP is for the Security Audit of Web-based (CMIS) and Mobile Applications. The technical details of the Web and Mobile (Tablet) application are available in the detailed RFP provided in the Alliance India procurement portal- Tero Tam. Scope of work The interested auditing organisations should be empaneled under CERT-IN. Selected Auditing agency would be expected to perform the following tasks for website and web applications security to analyse and review the web application & mobile App security. The auditors will have to assess the vulnerabilities plates and rest that exist in applications through Internet vulnerability assessment and penetration testing. This will include identifying remedial solutions and recommendations for implementing the same to mitigate all identified risks. The auditing agency will also be expected to propose a risk mitigation strategy and give specific recommendations to tackle the residual risks emerging out of identified vulnerabilities assessment. The mobile app and web application should be audited as per the National and International Industry standards and Govt of India approved measures. The auditor is expected to submit the final audit report after the remedies /recommendations are implemented. The final report will certify the particular mobile app and web application as "Certified for Security". The scope of the proposed audit tasks is given below. *The audit firm /company will be required to prepare the checklist/reports. Task 1: Web security audit/assessment. To check various web attacks and web/mobile applications for web attacks. The multiple checks/attacks/vulnerabilities should cover the following or any attacks vulnerable to web applications/mobile applications. 1. Vulnerabilities to SQL injections 2. CRLF injections 3. Directory Traversal 4. Authentication hacking/attacks 5. Identification and authentication failures 6. Password strength on authentication pages 7. Server-side request forgery (SSRF) 8. Scan JavaScript for security vulnerabilities 9. File inclusion attacks 10. Remotely exploitable vulnerability 11. Web server information security 12. Cross-site scripting 13. HTTP injection 14. Buffer overflow, invalid inputs, insecure storage etc. 15. Data encryption and confidentiality of data. 16. Cryptographic failures 17. Broken access control 18. Insecure design 19. Security misconfiguration 20. Vulnerable and outdated components 21. Any other vulnerable attack Task2: Re-Audit based on the Recommendations Report from Task 1 The vendor will be responsible for providing a detailed recommendations report for the vulnerabilities observed in Task 1. Task 3: Re-audit, if required, based on the Recommendations Report from Task 2. If vulnerabilities are observed from the re-audit, the vendor must provide a detailed recommendations report on the vulnerabilities observed or found from Re-audit/Task 2. We expect that all vulnerabilities will be removed at the Task 3 stage. The Audit firm must submit a summary compliance report at the end of each task. The final report should be separately certified that the mobile and web applications (should be mentioned the name of the mobile/web applications) are "Certified for Security". After a successful security audit of the mobile and web applications, the security audit report from the auditor should clearly state that all web pages along with respective linked data files (in pdf/doc/xlsx etc. formats), all scripts and image files are free from any vulnerability or malicious code, which could be exploited to compromise and gain unauthorized access with escalated privileges into the webserver system hosting the said mobile/web applications. Expected Deliveries The auditing agency will be required to submit the following documents after the audit of each application (Mobile and Web). The audit form must also submit suggestions/recommendations and other detailed steps for enhancing security. Security Audit of Web (Client Management Information System) and Mobile Application (eMpower) Interested agencies meeting the eligibility criteria must submit their technical and financial bids following the guidelines in out Procurement Portal (Tero Tam) on or before the closing date. Interested Agencies can submit proposals through the Alliance India e-Procurement Portal. For this, the interested agency must first register with our e-procurement portal using the information below to share the details. All supporting documents must be self-attested by the applicant organisation's consultant or Authorized Office Bearer. The link to our e-procurement portal is https://evendor.terotam.com/user/signup. Customer ID: - ZWAg9gZ6 Queries regarding this RFP will be sent only to procurement@allianceindia.org latest by 19 March 2023 by 11.59 PM. Alliance India shall collaborate and respond to all meaningful queries from prospective applicants by 20 March 2023. Responses to questions shall be compiled and sent to all the applicants who raised the queries through email only. The last date for submission is 22nd March 2023. Any Queries with respect to this RFP should be made to the aforementioned Email ID only. Any intention to influence the procurement procedures by the applicant will lead to disqualification of the RFP submitted by such applicant.

Documents

 Tender Notice