The Buyer requires systems to undergo either vulnerability assessments or penetration testing to be compliant with PSPF and ISM control 1163. The testing is implemented as work packages annually, or as otherwise required on an ad hoc basis.

The penetration testing will simulate real-world scenarios that threaten critical systems and data and are designed to confirm that the Buyer’s application are not vulnerable to hacking.

The Seller – through their Key Personnel – will be required to:

• Perform penetration testing on multiple developed web applications which are deployed and available over the internet. Each application to be tested is expected to have a separate scope and effort.
• The scope of testing for each individual web application is to include authenticated and unauthenticated access, authorisation at access and method levels, handling of malformed requests – maliciously or otherwise, and OWASP tests.
• The web applications will generally have the following broad technologies and properties:
• HTML/JavaScript, usually React, but may use other frameworks or libraries.
• Utilise APIs to store and retrieve UI data, usually Spring Boot/Swagger
• System to system data transfer APIs, usually Spring Boot/Swagger
• Store and retrieve data as XML, JSON, files, compressed files
• May utilise a portal for authentication and authorisation
• May use alternate or a mix of authentication/authorisation mechanisms, e.g. Basic auth., client certificates, authentication tokens, OAuth, SAML, etc.
• For the duration of the penetration test, the Buyer will whitelist the source IPs allowed to access the applications. These IPs will need to be supplied by the seller and should remain static for the duration of the testing.

The Seller is required to adhere to the following constraints in undertaking the testing:

• Social engineering and physical penetration tests are explicitly excluded from the scope.
• Denial of Service and brute force requests attempting to guess other usernames and passwords to the system must not be attempted. However, tests should include testing to show resistance to brute force type patterns – e.g. verifying that an account is locked out after the configured number of failed login attempts.
• All testing will be limited to AUSTRAC's external testing environment. Testing on AUSTRAC's other internet assets is explicitly excluded.
• Only personnel who have been cleared by AUSTRAC may participate in the testing.

In responding to this RFQ, the Seller must provide:

• a rate card with fixed prices for services covering the above requirements; and
• details on the qualifications, experience, and current clearance levels of the Key Personnel who will deliver the services together with their hourly rates (GST inclusive).

The clearance details for the Key Personnel will be verified by AUSTRAC. Key Personnel will also be required to undergo an AUSTRAC Suitability Assessment before undertaking any work under the contract.

Work packages under the contract will be delivered at a time and for a price agreed between the parties on a fixed price basis. The agreed price will not exceed the price provided in the Seller’s rate card.

The process for each work package will be as follows, or as subsequently agreed between the parties in writing:

1. The Seller and AUSTRAC negotiate scope, cost and terms of the work package.
2. AUSTRAC raises a purchase order for the work package and notifies Seller.
3. Seller provides IP address details for whitelisting.
4. AUSTRAC provides documentation and credentials.
5. Project kick-off at AUSTRAC’s office or via teleconference. AUSTRAC project team will provide functional context in relation to the security proxy and the legacy application to be tested and answer any questions in relation to scope and functionality to be tested.
6. Seller performs testing and provides AUSTRAC with interim report.
7. AUSTRAC addresses any critical issues identified within interim report.
8. Seller retests rectified issues to confirm fix resolves issue.
9. Seller provides final report.
10. AUSTRAC revokes key personnel access to application.
11. Seller submits invoice for payment.

The initial 12 months Contract Price shall not exceed $80,000 (GST Inclusive).