SAM #28321326RI0000019

SSA RFI for Dynamic Application Security Testing (DAST) Tool

The Social Security Administration (SSA) is seeking information from industry regarding a Dynamic Application Security Testing (DAST) tool to strengthen its cybersecurity posture. - Government Buyer: - Social Security Administration (SSA) - Office of Information Security, Web Application Security Team (WAST) - Office of Acquisition and Grants, 1540 Robert M. Bail Building, 6401 Security Blvd, Baltimore, MD 21235 - Requested Solution: - Dynamic Application Security Testing (DAST) tool - Tool must scan SSA applications during execution (black box testing) - Identify exploits and vulnerabilities in real-time - Support penetration testing for Tier 1 applications and information systems undergoing Authority to Operate (ATO) - Enhance FISMA metrics and satisfy external audit requirements - Existing Tools Referenced: - Checkmarx (static application security testing) - Black Duck (software composition analysis) - No specific OEMs, vendors, product models, part numbers, or quantities provided - Notable Requirements: - Solution must integrate with SSA's cybersecurity processes - Focus on Tier 1 applications and systems - Must support federal compliance and audit needs

Description

The Web Application Security Team (WAST) performs static code scanning of all SSA applications as part of the Office of Information Security’s (OIS) cybersecurity program. This is accomplished with the static application security testing (SAST) tool called Checkmarx and the software composition analysis (SCA) tool called Black Duck. Both of these solutions are white box testing tools that analyze the application’s code as it's being built. WAST is looking to procure a Dynamic Application Security Testing (DAST) solution to better analyze SSA applications, to bolster FISMA metrics, and to satisfy the requirements from multiple external audits and assessments. The DAST tool would scan applications as they are executed to identify exploits that can only be detected from black box testing. This funding is required immediately to better support the workload of multiple federal mandates and to provide black box testing early in the development lifecycle to stop exploits before they go to Production and potentially cause a security breach. This will also support a new requirement to perform penetration testing on all Tier 1 applications and all information systems going through the Authority to Operate (ATO) process. Additional Links:Click here to see more information about this opportunity on FedConnect

View original listing