PCS-03280 Penetration Testing

The Digital Transformation Agency requires comprehensive penetration testing of the Australian Government Architecture (AGA) Authenticated Space Single Sign-On implementation. This SSO solution enables DTA users to authenticate to AGA services via GovCMS SaaS platform using SAML 2.0 protocol through VANguard FAS and Microsoft Entra ID.

SCOPE:

Testing focuses on SAML 2.0 authentication flows, session management, role-based access control (RBAC), and security configuration. Key areas include:

- SAML AuthnRequest/Response validation, signature verification, replay attack prevention

- Session management: cookie security, timeout enforcement, session fixation/hijacking resistance

- Access control: paragraph-level permissions, private file access, privilege escalation testing

- Transport security: TLS configuration, HTTPS enforcement, CSRF protection

- Configuration security: certificate validation, secure key storage, error handling

OUT OF SCOPE: VANguard FAS infrastructure, Microsoft Entra ID, GovCMS platform core, network infrastructure, social engineering, DoS testing, unrelated Drupal Contributed Modules.

DELIVERABLES:

1. Test Plan & Methodology (within 5 days of contract execution)

2. Interim Progress Report (at 50% completion)

3. Final Penetration Testing Report (within 5 days of testing completion)

4. Remediation Verification Report (after fixes deployed)

5. Weekly status reports during testing

TESTING REQUIREMENTS:

- Non-production environment mirroring production

Coordinate with GovCMS (minimum 1-week advance notice)

Testing hours: Mon-Fri 9am-5pm AEDT

Black-box and grey-box methodology using industry-standard tools

Estimated start date: Monday, 05 January 2026

Initial contract duration: 1 Month

Extension term: Not applicable

Working arrangements: Remote

Additional budget information:

Budget should cover:

- Planning and test methodology development

- 2-3 weeks of active penetration testing in non-production environment

- Interim and final report preparation

- Remediation verification testing

- Weekly status reporting and coordination meetings

- All necessary testing tools and licenses

- Professional indemnity insurance requirements Quotes should clearly break down costs by phase:

1. Planning and coordination

2. Active testing execution

3. Report development

4. Remediation verification

Please specify daily/hourly rates for key personnel and any additional costs for extended testing hours if required.