Job ID: MD-G20B8400006 (912590813)2P
Security Analyst (CISSP/CEH must) with .Net web application security risk assessment, PII authentication, non-intrusive PEN and Windows/SQL Server/IIS/networking/UNIX experience
Location: 120 East Baltimore Street Baltimore, MD (Maryland State Retirement Agency (SRA))
Duration: 2 years
Interview: In-person
Positions: 4 (4/1-n)
Documents: certification copies, 3 references,
Minimum Qualifications
member shall possess either a current ISC2 Certified Information Systems Security Professional (CISSP) or a Certified Ethical Hacker (CEH) certification.
member shall have experience in conducting web application security risk assessments, with at least two (2) application security risk assessments performed within the past three (3) years.
a. At least two (2) security risk assessments must have assessed custom, .NET framework designed applications.
b. At least two (2) security risk assessments must have involved applications where users authenticate securely through the Internet to transmit and receive sensitive data (i.e., Personally Identifiable Information – PII).
member shall possess experience in conducting non-intrusive external penetration (PEN) testing .
Agency is soliciting proposals to:
2.1.2.1 Conduct a PEN test on two (2) Internet-facing computing environments: (A) the Demilitarized Zone (DMZ) hosting production Internet applications and services, and (B) the remote disaster recovery location in Annapolis, MD that hosts the backup Agency public website; and,
2.1.2.2 Conduct a thorough security assessment of three (3) Internet-facing applications (File Upload, Employer Payroll Reporting, and the Secure Document Reprint feature) developed by the Agency. File Upload and Employer Payroll Reporting are designed to allow business partners to upload data files to a secured web server for back-end data processing. The Secure Document Reprint feature (a set of secure pages accessed from the Agency’s public web site) allows participants to reprint 1099R and Personal Statement of Benefits (PSB) documents.
2.1.2.3 Conduct a thorough security/vulnerability assessment of the Agency’s internal Wireless Local Area Network (WLAN/WiFi) infrastructure to assess security risk, encompassing areas such as: access control points, cryptographic mechanisms, resiliency to malicious attack, overall WLAN architecture, and incident reporting/alerting capabilities.
Requirements and Tasks
2.3.1 Infrastructure Penetration (PEN) Testing
TO Contractor shall evaluate the security of MSRA’s public network infrastructure devices/systems and the Agency’s internal WLAN, via PEN testing, including:
A. Microsoft Server (2008/2012/2016) including Microsoft terminal services/remote desktop, B. Microsoft SQL Server (2008/2012/2014),
C. Microsoft Internet Information Server (IIS), D. Routers and switches,
E. Wireless access points, and
F. UNIX-OS based firewalls.
External penetration testing by the TO Contractor shall be conducted with the goal of revealing vulnerabilities that could be exploited by an external threat or attack. Identified risks shall be classified (Low, Medium or High) by the TO Contractor. Testing shall include at a minimum:
A. Test public (Internet) facing servers and border security devices for vulnerabilities or misconfigurations that could lead to system compromise, denial of service/defacement, or allow penetration to downstream systems or information,
B. Discover any open ports/unneeded services exposure,
C. Evaluate devices and systems for configuration errors or insecure security settings,
D. Review public network security architecture for potential weaknesses or vulnerabilities, and
E. Assess resiliency to malware/malicious code intrusion.
Penetration testing performed by the TO Contractor shall be of a non-intrusive, passive nature to ensure that no Agency production systems are impacted during this project. No copying, modification, deletion, or writing of data to/from production systems is acceptable without prior knowledge and written approval by the TO Manager. No production system downtime attributed to the PEN test is acceptable.
2.3.2 Application Testing
TO Contractor shall assess the security of the secure web applications listed in Section 2.1.2.2 of this TORFP to identify and classify risk (Low, Medium or High) of external attack to the Agency’s information systems. Specifically, TO Contractor shall pinpoint the weaknesses in the applications/programs that could be exploited by an external threat (see functional areas in A through G. below), and explain in detail the potential damage an external attack could cause.
The application-level security assessment shall address, at a minimum, the following functional areas: A. Programming code integrity – conduct a code review to detect the presence of exploitable
code or design flaws that could compromise the application or downstream systems, B. User authentication security integrity,
C. Access control mechanisms,
D. Data communications – integrity and confidentiality protections,
E. Session management – protections against attacks such as man-in-the-middle, session hijacking or session replay attacks,
F. Input validation integrity – protect against Cross-site scripting (XSS), SQL injection, or buffer overflow attacks, and
G. Auditing – presence of adequate auditing/logging of system events to preserve non- repudiation integrity and assess the capabilities present to detect/alert on targeted attacks or malicious activities.
2.3.3 Security Vulnerabilities
TO Contractor shall isolate and identify security vulnerabilities discovered in network perimeter security devices. This process shall include documenting operating system vulnerabilities and system misconfigurations, Web server and back-end database server vulnerability to targeted attacks (e.g., XSS, SQL injection, defacement, etc.), susceptibility of internal system resources and data to compromise, security control inadequacies, and other identified security risks.