Closed

Website Penetration Testing

Tender ID: 585165

Tender Details

Organisation:
Administrative Review Tribunal
Tender #:
PCS-02200  
Status:
Closed
Publish Date:
9 May 2025
Closing Date:
21 May 2025
Closing Time:
11:59 PM (Australia/ACT)

Tender Description

This Tender is invited by the Issuer.

Requirements

The Administrative Review Tribunal is seeking to engage Professional Services to perform penetration testing of its new website, art.gov.au to identify any potential vulnerabilities that could be exploited by malicious actors, in order for the Tribunal to mitigate those risks.

The Administrative Review Tribunal is an Australian Government tribunal that reviews a wide range of administrative decisions made under Commonwealth and Norfolk Island laws.

The Tribunal commenced on 14 October 2024, replacing the former Administrative Appeals Tribunal. The new Tribunal’s website, art.gov.au, was launched at commencement and has now been live for 6 months. We have also recently implemented single sign-on access for users via the Tribunal’s network.

Security requirements for penetration testing of art.gov.au (production site)

Testing should adopt the following attack vectors/personas:

  • Unauthenticated testing from an internet-facing perspective (i.e., public user)

The Tribunal is seeking non-destructive, logical testing of the components only, it is not seeking:

  • Physical testing of any components of the solution
  • Physical testing of any support locations
  • Any social engineering of any individuals or entities involved with the solution

At a minimum, the following scenarios should be covered with the supplier supplementing scenarios based on real-world experiences:

  1. A motivated external actor attempting to access sensitive information without authorisation and/or authentication.
  2. An unauthorised external actor attempting to gain or forge privileged access to system components
  3. An unauthorised external actor attempting to maliciously add, modify or delete data
  4. An unauthorised external actor attempting to circumvent security controls
  5. An unauthorised external actor attempting cause damage or infiltrate the application
  6. An unauthorised external actor manipulating application functions to achieve an objective (business logic/access controls) or user forgery.

Testing seeks to validate the following criteria:

  1. Services and applications provide as little information as possible when queried directly
  2. System components cannot be enumerated so as to provide details of the architecture
  3. System administrative planes have robust controls to prevent/detect exploitation

The system cannot be manipulated by an actor to access the information of another subject (i.e., a person who has submitted a form to the Tribunal).

Testing requirements:

The Tribunal expects that the supplier will utilise their expertise to provide a “tests to be conducted outline” and suggestions to us, to address scenarios or attack vectors based on current trends and/or intelligence, and the supplier’s standard practice. 

Deliverables

  1. Agreed testing plans, scenarios, and methodology agreement
  2. Agreed on project schedule timelines for testing plans
  3. Proposed project schedule timelines for testing plans
  4. A detailed technical report and walkthrough of the findings
  5. A business language executive report
  6. An allocation for re-testing should the ART remediate any vulnerabilities discovered in the original testing.

Scoping

An initial scoping should cover, but is not limited to, the following (based on the supplier’s proposal):

  • Scoping Clarification (what is in and out of scope)
  • Rules of Engagement
  • Network/Web Enumeration
  • Network/Web Traffic Analysis
  • Key Application Discovery 

Location

Western Australia   :   Gascoyne   :   Goldfields/Esperance   :   Great Southern   :   Kimberley   :   Mid West   :   Peel   :   Perth Metropolitan   :   Pilbara   :   South West   :   Wheatbelt  
New South Wales   :   Central West   :   Far North Coast   :   Far West   :   Hunter   :   Illawarra   :   Mid North Coast   :   Murray   :   New England   :   Orana   :   Riverina   :   Southern Highlands   :   Sydney  
Queensland   :   Cairns & Far North Queensland   :   Gladstone   :   Mackay Whitsunday Region   :   Mount Isa & North West Region   :   Rockhampton   :   South East Queensland   :   South West & Darling Downs   :   The Central West   :   Townsville   :   Wide Bay Burnett  
Victoria   :   Barwon South West   :   Gippsland   :   Grampians   :   Hume   :   Loddon Mallee   :   Melbourne  
South Australia   :   Adelaide   :   Eyre & Western   :   Far North   :   Fleurieu & Kangaroo Island   :   Limestone Coast   :   Murray & Mallee   :   York & Mid North  
Northern Territory   :   Barkly   :   Big Rivers   :   Central Australia   :   East Arnhem   :   Greater Darwin   :   Top End  
Australian Capital Territory  
Tasmania  

Category

Information & Communication Technology   :   Consultancy & Project Management   :   IT Security Services