Penetration test and security review of Azure App Services customer portals
Tender ID: 579153
Tender Details
Tender Description
The Inspector-General of Taxation and Taxation Ombudsman (IGTO) is a micro–Federal Government agency of 35 staff, that investigates taxation complaints about the ATO or TPB. The IGTO collects and holds personal information that is rated up to the Official: Sensitive classification.
In 2024, the IGTO migrated its complaint management system to the Microsoft Dynamics 365 (CMS) environment. This system includes two customer-facing portals:
- Dynamics 365: The primary solution for IGTO to manage complaints, conduct investigations, handle freedom of information requests, privacy matters, and stakeholder relationships.
- Azure App Service (Public Portal): Allows the general public to lodge complaints, monitor their progress, and review related documents. This portal uses an Azure Web Application Firewall (WAF).
- Azure App Service (Agency Portal): Enables agencies like the Australian Taxation Office and the Tax Practitioners Board to provide information to the IGTO. This portal also uses an Azure WAF and restricts access to known IP addresses.
The CMS and portals were configured and developed by a third-party vendor. Before their release in April 2024, a penetration test was conducted on the portals, and most findings were mitigated before going live.
We are seeking an application penetration test/security review of the two portals to ensure that unauthorised data cannot be accessed by unauthenticated or authenticated malicious attackers. The review should cover the following areas:
- Review the configuration settings of the applications to ensure they follow best practices and are secure by design.
- Simulate a malicious attacker to ensure no unauthorized data can be accessed.
- Ensure that a malicious attacker cannot move laterally within the environments.
- Ensure that a malicious attacker cannot inject malicious code into any of the portals.
- Retest the portals if any remediation changes are made.
Mandatory Requirements:
- Vendor must comply with the timelines specified in the RFQ.
- Vendor must have previous experience completing penetration tests/security reviews on Microsoft Azure App Service environments for federal government agencies.
- Vendor must provide an example output report of a previous penetration test/security review.
- Total cost must represent value for money to the Commonwealth.
Estimated start date: Tuesday, 01 April 2025
Initial contract duration: 3 months
Extension term: Not applicable
Working arrangements: Remote