STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Transcription

1 STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013 To: RE: All Vendors Request for Information (RFI) The State of Washington, Department of Social and Health Services (DSHS) is requesting information from the vendor community regarding methods and solutions to provide high quality yet cost effective vulnerability code and database scanning. The purpose of this RFI is to gain knowledge of solutions available for source code and database vulnerability scanning. This RFI should not be construed as intent, commitment, or a promise to acquire services or solutions offered. Any prices or estimates provided are non-binding and should only reflect general prices readily available in a commercial environment. No contract will result from any response to this RFI. 1. OVERVIEW AND PURPOSE OF THIS REQUEST FOR INFORMATION: Currently, DSHS has no automated solution for code scanning and database vulnerability scanning, and relies on manual peer review and automated vulnerability/penetration testing of web-facing applications, and peer review for database implementations. Best practice for IT security requires multiple layers of defense; DSHS would like to augment the current practices. This RFI is an opportunity for the vendor community to provide creative and affordable solutions to remedy DSHS s lack of automated code scanning and database vulnerability scanning. DSHS has listed a series of minimal functional requirements but is open to any method which meets the standards listed below. The recommendations from the vendor community can be inclusive of both DSHS needs jointly or address the database and application source code independently 1.1 Application Source Code Scanning DSHS needs a solution to scan application source code to detect security vulnerabilities which could create a risk to the application. The recommendations from the vendor community may be software, appliance, or software as a service. The recommendation should be capable of scanning source code on all significant applications within DSHS, identifying vulnerabilities, providing guidance on mitigation of identified vulnerabilities, and maintaining sufficient documentation of identified vulnerabilities to allow a determination of the efficacy of the source code scanning. The recommendations should support all programming languages used within DSHS for new and existing applications, and support existing DSHS source code repositories and integrated

2 development environments (IDEs) as well as other languages/repositories/ides that might reasonably be used in the future. The following are the basic minimum standards required for the application source code scanning solution(s) Minimum Standards: The solution must support at least four of the following application languages: PHP 3.x and above Java, JSP, J2EE, JSTL, J2SE Classic ASP.NET (v2.0 v4.5) ASP.NET, C#, VB.NET, LINQ, C++ VB6 The solution must work with at least one of the following application version control products: TFS Team Foundation Server v2008 and up Subversion Tortoise The solution must provide support for both of the following Integrated Development Interfaces: Visual Studio version 2008 and above Eclipse 3.0 and above The solution must identify the following vulnerabilities: API Abuse Log forging Code Injection Obsolete functions Command Injection Open redirect CRLF Injection Reflection injection Cross site scripting XSS Weak crypt algorithm File Inclusion Session variable poisoning Hard-coded password SQL injection HTTP response splitting Tag injection Information leak of system Xpath injection data The OWASP Code Review LDAP Injection Top 9 Please note any other vulnerabilities that the product or service is able to identify. 1.2 Database vulnerability scanning:

3 DSHS also needs a solution to scan multiple databases for security vulnerabilities. The recommendations from the vendor community may be for software, appliances or software as a service. The recommendation should be capable of scanning all databases within DSHS, identifying vulnerabilities, providing guidance on mitigation of identified vulnerabilities, and maintaining sufficient documentation of identified vulnerabilities to allow a determination of the efficacy of the database scanning. The following are the basic minimum standards required for the database vulnerability scanning solution(s) Minimum Standards: The solution must support the following databases: Oracle Microsoft SQL Server MySQL IBM Informix DB2 (mainframe, windows, linux. Aux) PostgreSQL The solution must identify the following vulnerabilities: Buffer overflows Privilege escalation Denial of service Default and weak passwords Incorrect configurations Access control issues Missing or out of date security patches The solution must provide compliance reports for: ISO PCI CIS DISA-STIG HIPAA Federal tax information (IRS Publication 1075) 2. SPECIFIC QUESTIONS: Please note that these questions do not comprise an exhaustive list of issues but focus on areas of significant concern to DSHS. You may provide information in addition to the questions listed below if in your knowledge of the subject matter the additional information is relevant to the perceived intent of this RFI. Additional information should be clearly identified and labeled as to its topic, purpose and benefit in this inquiry.

4 2.1 - For the source code scanner, tell us what your solution can do. Technological Requirements. We would like to know what each solution provider recommends as minimal and optimal hardware specifications. Equipment and Software. We would like to know whether each solution provider supplies software, appliance(s) or software as a service. What are the optimal hardware configurations if any? Encryption and Security. We would like to know what each solution provider recommends as minimal and optimal specifications for encryption and data security requirements. Confidentiality. How can we ensure that the selected solution adequately protects the confidentiality of DSHS system information? For the database scanner tell us what your solution can do. Technological Requirements. We would like to know what each solution provider recommends as minimal and optimal hardware specifications. Equipment and Software. We would like to know whether each solution provider supplies software, appliance(s) or software as a service. What are the optimal hardware configurations if any? Encryption and Security. We would like to know what each solution provider recommends as minimal and optimal specifications for encryption and data security requirements. Confidentiality. How can we ensure that the selected solution adequately protects the confidentiality of DSHS system information? 3. IMPORTANT GENERAL INFORMATION Information submitted in response to this RFI will become the property of The State of Washington, Department of Social and Health Services. The State of Washington, DSHS will not pay for any information herein requested nor is it liable for any cost incurred by the vendor. Participation in this RFI is voluntary and will not be a mandatory requirement for any subsequent competitive procurement. Due Date for Responses: Please respond to this RFI by 3 pm, PST on November 15, 2013.

5 Electronic Submittal: Responses to this RFI will only be accepted electronically at Procedural or administrative questions may be directed to the RFI Coordinator listed above. Technical or requirement questions may be directed to Pablo Matute DSHS IT security We appreciate your response to this request.