Some advice when writing security assessment RFP’s
I have been answering quite a few security assessment RFP’s lately, most specifically geared towards penetration testing of the external and internal environment (you guessed it – PCI). And what I have noticed is that the writers of the RFP typically do not include enough detail in the RFP for the organizations attempting to answer to give a solid response. Basically, if you need a good answer to your RFP, you have to give me enough to scope the amount of time it is going to take me to get it done.
- If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
- If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing. I also need to have SOME idea of how many apps I am going to run up against.
- If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
- Etc, etc, etc
If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you. You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due). It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).
Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions. The RFP writer is simply going through the motions because of company policy. I get that.
But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly. Thank you for your consideration.
Vet
