Request for Proposal (RFP) - External Penetration Testing of Web Application and Network Infrastructure.

1. Introduction:

Irembo Ltd is a technology company in the gov-tech and fin-tech spaces that designs and develops digital products focused on users in Africa, starting with Rwanda.

At Irembo, we recognize the importance of proactive cybersecurity measures and undergo an annual external penetration test to understand our security posture.  To achieve this, we are seeking proposals from qualified and experienced cybersecurity firms to conduct an external penetration test on our web application and infrastructure. The objective is to identify vulnerabilities, assess risks and provide recommendations for improving our security posture.

2. Scope of Work

• Conduct a comprehensive Web Application & API Penetration Test
• Conduct an External Network Penetration Test

Provide detailed reports from the above which should include:

• An executive summary
• Technical findings with severity ratings
• Proof-of-concept for identified vulnerabilities
• Risk assessment and Impact analysis
• Tools and methodologies (commands, etc) used during the engagement
• Remediation recommendations
• All test cases considered during the engagement and findings

3. Requirements

The Proposal shall contain the following:

Letter of Technical Proposal Submission

Methodology

• Methodology of how each test in scope will be carried out, including a graphical representation of your network and application penetration test methodology
• The portion of testing that is manual as opposed to automated testing
• The minimum number of hours to be performed on each testing activity
• Graphical representation of network and application testing methodology

Company profile including, but not limited to, the following details

• Number of years of experience in Security Testing and relevant consultation services (Vulnerability Analysis, Penetration Testing, Social Engineering, Red Teaming, technical audits, assessments, training, and forensics) to Essential Service providers and Critical Infrastructure Institutions  
• Past Experience with projects of Security Testing and relevant consultation services (Vulnerability Analysis, Penetration Testing, Social Engineering, Red Teaming, technical audits, assessments, training, and forensics) to Institutions  
• Certified resources on payroll
• Comprehensive details of bidder, present clientele, and projects of comparable stature;
• A redacted copy of previous penetration test reports (Web Application and External Network)
• The details of the team assigned to the project
• Suggested timelines

The selected bidder must possess at least ten (10) years of experience providing the proposed IT security assessment consulting services for critical infrastructure and experience with large organisations in government and private industries.

The selected bidder must demonstrate that their staff collectively possess recent experience conducting IT security assessment services described below:

• Vulnerability Assessments: Demonstrated experience in leading and participating in vulnerability assessments that include web applications, networks, and source code Qualifications should consist of combinations of the following certifications:
• The number of certified professional Certified resources on the payroll as mentioned below:  Licensed Penetration Tester (LPT) / Certified Ethical Hacker (CEH) / Computer Hacking Forensic Investigator (CHFI) / Certified Information Systems Security Professional (CISSP) / GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) / Offensive Security Certified Expert (OSCE)/ Offensive Security Certified Professional (OSCP) / Offensive Security Exploitation Expert (OSEE) / Offensive Security Web Expert (OSWE) / GIAC Penetration Tester (GPEN) / GIAC Web Application Penetration Tester (GWAPT) / Certified Expert Penetration Tester (CEPT) certified / Certified Information System Auditor (CISA)

The selected bidder shall certify that no Respondent employee providing services to the state shall have been convicted of (a) a felony; or (b) a misdemeanour involving violence, sexual misconduct, or dishonesty. A Respondent who does not meet these minimum qualifications will be deemed nonresponsive and not receive further consideration. 

4. Deliverables

The successful bidder will be required to submit the following after the engagement.

• A detailed report with security status and discovered vulnerabilities, weaknesses, and misconfigurations with associated risk levels and actions for risk mitigation.
• A presentation of findings to key stakeholders
• Retesting after remediation efforts

SUMMARISED TABLE FOR REQUIREMENTS & MARKS  

 All qualified and interested bidders should submit their proposals electronically through Irembo’s e-procurement portal no later than 30th September 2024 at 5 PM. Consulting firms will be required to sign up or register if they don’t have an account already. This tender is listed under the “IT Hardware and Software” service category; be sure to include it on your profile. 

After registration, our team will review your profile. You will only be allowed access after your account has been approved.

Upon successful login, navigate to “Tenders” and locate Tender Number 1100012. More guidelines can be found on the signup page. All inquiries related to this tender are to be addressed to procurement@irembo.com 5 calendar days before the bidding deadline.