Tender: Web Application Vulnerability Scanning
Contracting Authority: United Nations Secretariat, New York
Description: The United Nations Joint Staff Pension Fund is seeking expressions of interest from providers of web application vulnerability scanning tools to identify potential security vulnerabilities and architectural weaknesses in web applications. The ideal tool will communicate with a web application through the web front-end and automatically crawl the web application and test it for common security problems such as Cross-Site Scripting, SQL Injection, Directory Traversal, insecure configurations, and remote command execution vulnerabilities. Essential features: – Availability of on premise deployment option – Unlimited number of scan targets (IP addresses or URLs) – Ability to connect through an API – Availability of compliance reporting and dashboard features – Wide coverage of various types of vulnerabilities including OWASP top 10 vulnerabilities (e.g. SQLi, XSS, XXE, CSRF, SSRF, etc.) – Ability to detect vulnerabilities in popular CMS such as WordPress, Joomla! and Drupal – Support of various input Vectors (GET/POST/XML/JSON) – Support for overcoming modern scan barriers, including support for: o Recording login sequences o Detect logout (In-Session) o Custom Authentication Header o Support Multiple Domains (SPA) o Detect/Configure AntiCSRF Params and Headers o Depp crawling including HTML5 and AngularJS o Support of different authentication methods ( Http/Cookie and NTLM v1/v2) – Providing remediation advice – High accuracy and low percentage of false positives – Availability of support, maintenance and updates – Ease of use Responses to this EOI are invited by the deadline noted above for the purposes of market research and the formation of a sourcing list for possible solicitations on subject-matter requirements.
Deadline for the EOI: Feb. 1