Monday, 10 April 2017

RfP for Owasp SAMM assessment (£10k budget)

Here is a project brief I have been asked to share by a company that operates across Europe, USA and Australia.

Seems to me like a great opportunity for an active member of the OWASP/SAMM community :)

Ping me if your company (or you) want to respond, and I'll put you in touch with them.

--------

Project brief:

Our e-commerce security maturity is of critical importance to us and our valued customers.

Through this RfP process, we are approaching the App/InfoSec community to invite responses from Europe-based AppSec consultants and businesses who are interested in engaging with our Group Security team to delivery an acute assessment of our individual team's security maturity.

We welcome responses from those well versed in the OWASP SAMM methodology, and have full-stack technical experience of auditing complex e-commerce environments and practices. Experience in producing board-level written reports and visualisations of data collected is highly desired. The data is to be collected using the Owasp Maturity Model tool.

Advanced communication, analytic, technical architecture and application security experience must be held - and referenced by supporting examples of work.

Technical speciality in the following areas will be required:
  • Platforms: Windows, Linux, AWS (esp. EC2, Aurora), Azure (esp. ESB, API gateway), Docker
  • Infrastructure: Cisco, Juniper, A10 or equiv. NLB 
  • Languages and Frameworks: .Net, Java, JavaScript (NodeJS, React, Angular), Perl, MySQL, SCADA systems
Responses to this RFP should include:
  • Details around how many days effort will be allocated to the project - split by skill level if relevant.
  • CVs (i.e. LinkedIn, GitHub, Twitter and Blog) of those consultants taking part in the assessments and report writing will be required. Ideally a pool of candidates will be available, allowing the selection of the best consultants to work on each team/technology stack.
Being able to be fully briefed, and then work autonomously is a key requirement.

Travel to the UK and mainland European destinations inc. Spain, France and Germany will be required.

An quick start is required to meet project timelines.

Relevant details:
  • SAMM: https://www.owasp.org/index.php/OWASP_SAMM_Project
  • Maturity Model Tool: https://github.com/owasp/Maturity-Models 
  • Budget: £10k for App/InfoSec consultant time, +£2k reasonable expenses
  • Geographies: UK, France, Spain, Germany
  • Language requirements: Fluent, written English. Proficiencies in either/and French, Spanish and German would be advantageous but not mandatory.
  • Timescales: Full delivery of a set of multi-team OWASP SAMM security maturity reports in May 2017.