SECTION C EMPLOYER'S REQUIREMENTS TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C 1. Introduction a. Project Background PWA ISD is planning to implement Application Security, Incident Response and Data Forensics Lab Solution. The aim is to: Application Security Protect the most valuable information asset that is business-critical containing sensitive data by analyzing static and dynamic code to identify and point out security vulnerabilities in source code during the earlier stages of SDLC by prioritizing the results and providing best practices for the developers to write secure code. Security Incident Response Build Resilient Systems which has agile Incident Response action plans and workflows, centralize response coordination and collaboration, task management, threat intelligence, simulations, analysis and reporting. Data Forensics Mini Lab Capability of techniques to gather, investigate, analyze and preserve evidence from a particular computing device or digital media in a way that is suitable for presenting facts and opinions about the digital information to the corporate investigation committee or in a court of law. b. Project Objective The Objective is to select a supplier to assist PWA in establishing the most cost effective and efficient comprehensive solution for the program “Application Security, Security Incident Response and Data Forensics Mini Lab Solutions” with 8X5 Technical support services while maintaining high standards of quality and service. 2. Assumptions/Dependencies a. The Contractor has to provide end-to-end solution for the deployment of the Solution and integrate with PWA’s internal monitoring and logging systems. b. The Contractor has to perform the deployment with Zero downtime. c. The Contractor should be an authorized Platinum or Gold partner of the specific vendor that they propose. d. The Contractor shall provide qualified/certified engineers to perform the required installation and configuration activities. e. The Contractor shall strictly adhere to the Service Level Agreement which they made between PWA and the Vendor. Project ID: ISD 2016 SS 83 S C/1 January 2017 Supply, Installation and Maintenance of Application Security, Security Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C f. The Contractor shall provide Design/Solution document along with all the required diagrams. 3. Technical Requirements A. Application Security Application Security solution that spans across software development lifecycle and satisfies the security requirements with the flexibility of testing on-demand and on premise web and mobile applications. The solution should analyze static and dynamic code to identify and point out security vulnerabilities in source code during the earlier stages of SDLC by prioritizing the results and providing best practices for the developers to write secure code. PWA expects the Solution to support the following features: IDE-Plugin integrations including eclipse - visual studio Identifying vulnerabilities associated with multiple languages, including: JAVA, JavaScript, SQL, C, C++, .NET (C#, ASP.NET), PL/SQL, COBOL. Provide source level information and dataflow evidence for vulnerabilities Provide detailed remediation guidance on how to fix the vulnerabilities at the line-of-code level. Export the findings as reports. Detecting and fixing security issues in later stages of software development lifecycle is much more costly; so with source code security analysis security issues will be detected and fixed at early stages of software development lifecycle and the cost of fixing these issues is going to be less. Integrates with build automation to automatically scan source code with each build. Vendor should provide configurations / integration requirements with IDE and Build systems. Security analysts should be able to manage all static testing’s that can be executed either in build systems or by developers in their IDE. Customizable report generator to help demonstrate compliance with industry regulations and best practices, including the OWASP Top 10 and PCI. be a leader in the field of analysis of source code (GMQ, ...); enables auditing of source code of web applications (static analysis); enables support of mobile applications for Android and iOS; enables analysis of applications related threats; allows advanced reporting with details of available or potential dashboards with the solution; Project ID: ISD 2016 SS 83 S C/2 January 2017 Supply, Installation and Maintenance of Application Security, Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C possibility of integration with IDE development environments (specify); Support Framework development (clear list detailing the development and Framework supported languages.) allows the realization of static and dynamic analysis (optional) applications; enables identification of critical vulnerabilities against the OWASP top 10, NIST, SANS Top 25 support scheduled and continuous scanning support for Software Security Assurance Program governance support for run time protection for applications A.1 Language Support Source Code Analyses must be supporting the programming languages listed in the following table. Language Versions ABAP/BSP 6 ActionScript/MXML (Flex) 3, 4 ASP.NET, VB.NET, C# (.NET) 4.5 and earlier C/C++ Classic ASP (with VBScript) 2, 3 IBM Enterprise Cobol for z/OS 3.4.1 with IMS, DB2, COBOL CICS, MQ ColdFusion CFML 8 HTML 5 and earlier Java (including Android) 5.0, 6, 7, 8 JavaScript/AJAX 1.7 JSP 1.2, 2.1 Objective C Project ID: ISD 2016 SS 83 S C/3 January 2017 Supply, Installation and Maintenance of Application Security, Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C PHP 5.3 PL/SQL 8.1.6 Python 2.6 ‐ 2.7 TSQL SQL Server 2005, 2008, 2012 Ruby 1.9.3 Visual Basic 6 VBScript 2, 5 XML 1.0 A.2 iOS Code and XCode Support iOS SDK Xcode Version 7 5.0 7.1 5.1 8 6 A.3 Build Tools Build Tool Versions Ant 1.8.x, 1.9.4 Jenkins 1.5 Maven 3.2.3 MSBuild 2, 3.5, 4.x Xcodebuild 5.x, 6.x Project ID: ISD 2016 SS 83 S C/4 January 2017 Supply, Installation and Maintenance of Application Security, Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C A.4 Compliers Platform Compilers Versions Mac OS Xcode 5.0, 5.1, 6.0, 6.1, 6.2 AIX, Linux, HP UX, Mac OS, gcc GNU gcc 2.9 through 4.9 Solaris, Windows AIX, Linux, HP UX, Mac OS, g++ GNU g++ 3.2 through 4.9 Solaris, Windows Intel C++ Linux icc 8.0 Compiler Windows cl VS 2010, 2012, 2013, 2015 Oracle Solaris Solaris 9, 10, 11, 12 Studio AIX, Linux, HP UX, Mac OS, Oracle javac 5, 6, 7, 8 Solaris, Windows A.5 Supported IDE Environments: Remediation Plugins: IDE Versions Eclipse 3.7.2, 4.3.2, 4.4 JDeveloper 11.1, 12c IntelliJ Ultimate 12, 13 IntelliJ Community 13 Android Studio 1.0.1 2010 Premium, Professional, and Ultimate 2012 Premium, Professional and Ultimate 2013 Premium, Microsoft Visual Studio Professional and Ultimate 2015 Premium, Professional and Ultimate Note: SCA is not compatible with MS Visual Studio Express. Project ID: ISD 2016 SS 83 S C/5 January 2017 Supply, Installation and Maintenance of Application Security, Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C A.6 SCA Secure Code Plugin Service Integrations Service Applications Versions Supported Tools Bug tracking Visual Studio SCP, Bugzilla 4.2 and Eclipse SCP HP Application Lifecycle Audit Workbench Management (ALM)/HP 11.0, 11.5, 12.0 and Eclipse SCP Quality Center (HPQC) Microsoft Team Foundation Server (TFS) Note: To integrate with TFS, you must first install the Visual Studio Team Explorer 2010, 2012, 2013 Visual Studio SCP software. To integrate with TFS 2010, you must install Visual Studio SCP on a machine running Visual Studio 2010 Premium or Professional edition. JIRA 6.1.6 Plugin for Eclipse, HP Fortify Software Security 4.30 and Package for Center Bug tracker Visual Studio Project ID: ISD 2016 SS 83 S C/6 January 2017 Supply, Installation and Maintenance of Application Security, Incident Response and Data Forensics Mini Lab Solutions TECHNICAL SUBMISSION EMPLOYER'S REQUIREMENTS SECTION C Vulnerability Check The product should support source code level scanning and analysis The code scanner should support all languages mentioned in 3.B Language Support The Vendor should maintain a database of all known vulnerabilities and update it with new vulnerabilities. The product should scan for all types of vulnerabilities described below. Item Vulnerability Classes 1 Access Control 2 Arbitrary Command Execution 3 Authentication & Authorization Evasion 4 AJAX 5 Backdoor Inputs & Exposure 6 Buffer Overflows 7 Command Injection 8 Cookie Poisoning 9 Configuration Management 10 Content Spoofing 11 Cross-site Scripting - product tests for a minimum of 20 variants within this class 12 Data Sanitization 13 Data Theft 14 Debug Options 15 Directory Listing, Enumeration 16 Extension Checking 17 Error Handling 18 Forceful Browsing 19 Format String Command Execution 20 FTP 21 Hidden Field Manipulation 22 HTTP Attacks 23 HTTP Response Splitting 24 Identity Spoofing 25 Insecure Configuration and Data Access 26 Known Vulnerabilities 27 LDAP Injection 28 Malicious File Uploading 29 One-Click Attacks 30 Parameter Manipulation/Tampering 31 Port Checks 32 Session Fixation 33 Session Hijacking 34 SOAP Injection 35 SQL