Provision of Army Digital Services Security & Vulnerability Assessments Specialist & Technical Capability (DInfoCom/0212)

Descriptions

There is a requirement for specialist technical assistance to provide code assisted Vulnerability Assessments (VA) and Penetration Testing (PT) security assessments on both new and in-service applications/infrastructure. Security assessments, PT's and VA's are used to identify vulnerabilities in code and infrastructure (networks, servers, operating systems and applications) that could potentially be exploited. Attackers can be hackers trying to gain access into our network or systems, state sponsored activists or an insider threat. They will aim to either extract information that is held on applications and hosting environments or cause extensive disruption to services. ADS has 2 hosting environments, the Army Hosting Environment (AHE) and Joint Server Farm (JSF). The JSF is accessible from the internet via the Defence Gateway and holds information classified at Official. The AHE holds Official, Secret and Sensitive Personal Information which if extracted would not only be damaging to the Army's reputation, it could jeopardise potential operations. It could also incur fines from the Information Commissioner if there were a breach of personal information. An attack to disrupt any of the services ADS provides would significantly erode the Army's ability to operate, as many of the systems support day to day activities and processes. It is therefore imperative that vulnerabilities are identified and remedied/mitigated to reduce the risk of these occurrences. All new applications expecting to be hosted on the AHE or the JSF must have a vulnerability assessment before being allowed onto the environment to ensure there are no weaknesses which could potentially allow an attacker access to the wider infrastructure and applications. Existing applications, hosting environments and platforms must be VA'd on a rolling programme to ensure any changes do not increase vulnerability and potential for being attacked.