Closed

Penetration test and security review of Azure App Services customer portals

Tender ID: 579153


Tender Details

Tender #:
PCS-01632  
Status:
Closed
Publish Date:
19 February 2025
Closing Date:
7 March 2025

Tender Description

The Inspector-General of Taxation and Taxation Ombudsman (IGTO) is a micro–Federal Government agency of 35 staff, that investigates taxation complaints about the ATO or TPB. The IGTO collects and holds personal information that is rated up to the Official: Sensitive classification.

In 2024, the IGTO migrated its complaint management system to the Microsoft Dynamics 365 (CMS) environment. This system includes two customer-facing portals:

  1. Dynamics 365: The primary solution for IGTO to manage complaints, conduct investigations, handle freedom of information requests, privacy matters, and stakeholder relationships.
  2. Azure App Service (Public Portal): Allows the general public to lodge complaints, monitor their progress, and review related documents. This portal uses an Azure Web Application Firewall (WAF).
  3. Azure App Service (Agency Portal): Enables agencies like the Australian Taxation Office and the Tax Practitioners Board to provide information to the IGTO. This portal also uses an Azure WAF and restricts access to known IP addresses.

The CMS and portals were configured and developed by a third-party vendor. Before their release in April 2024, a penetration test was conducted on the portals, and most findings were mitigated before going live.

We are seeking an application penetration test/security review of the two portals to ensure that unauthorised data cannot be accessed by unauthenticated or authenticated malicious attackers. The review should cover the following areas:

  • Review the configuration settings of the applications to ensure they follow best practices and are secure by design.
  • Simulate a malicious attacker to ensure no unauthorized data can be accessed.
  • Ensure that a malicious attacker cannot move laterally within the environments.
  • Ensure that a malicious attacker cannot inject malicious code into any of the portals.
  • Retest the portals if any remediation changes are made.

Mandatory Requirements:

  • Vendor must comply with the timelines specified in the RFQ.
  • Vendor must have previous experience completing penetration tests/security reviews on Microsoft Azure App Service environments for federal government agencies.
  • Vendor must provide an example output report of a previous penetration test/security review.
  • Total cost must represent value for money to the Commonwealth. 

Estimated start date: Tuesday, 01 April 2025

Initial contract duration: 3 months

Extension term: Not applicable

Working arrangements: Remote


Location

New South Wales   :   Central West   :   Far North Coast   :   Far West   :   Hunter   :   Illawarra   :   Mid North Coast   :   Murray   :   New England   :   Orana   :   Riverina   :   Southern Highlands   :   Sydney  

Icon
Interested to find more tenders relevant to you and your business? You can try our advanced tender search today.