On Apr 22, 2019, at 4:03 PM, Tod Olson <tod@uchicago.edu> wrote:I agree in liking NCC a bit more, their response seems more tailored to our specific request. That said, it's also interesting the sample report from Bishop Fox. We'd probably be happy with either, and I also lean toward NCC.In the NCC SOW, item 5 says that we will provide a client for the in-scope web services, and if we don't that could change the SOW. I'm a little uncertain what this means practically, and that may be my inexperience with this sort of engagement. From the cover letter, it seems like they have a reasonable expectations about what they will need to do to test the APIs, but that may be wishful reading on my part. Is it worth clarifying whether we can provide such a client, or whether they know already what they may have to build?
-Tod
On Apr 22, 2019, at 1:58 PM, Peter Murray <peter@indexdata.com> wrote:
For the budget constraints the client provided (around $30k), I feel we can reasonably cover the "Securing Okapi" set of repos - they don't really have a test instance set up, so if we take 2d to spin up our own local copy of it all, that'd leave us 10d to test the web services of 94 APIs with ~ 38kloc Java code. We may need to spin up parts of their demo/reference UI to make it easier to use, but if so, those parts should be out of scope.
Not sure that is enough to disqualify them; I'd need to hear more from Mike about his interactions with them.
PeterOn Apr 22, 2019, 1:37 PM -0400, Mike Gorrell <mdg@indexdata.com>, wrote:
Below and attached are the documents/quotes we received from the two security vendors that were solicited based on the OTS report (and whom OTS recommended). A 3rd vendor (Veracode) was explored, but were found to be more of a tools provider rather than a consultancy that could assess architectural aspect of FOLIO’s software.
My recommendation is to go with NCC. They were more responsive by far, and generally seemed more hungry for the deal. Technically both appeared to have sufficient expertise - and neither stood out from the other.
NCC quoted $32,400 for 14 person days of effort. Bishop Fox quoted $37,680 for 157 hours of effort (note the typo in their email - the numbers add to 157 and the price equates to 157). Since their quotes are generally in the same ballpark I will approach the FOLIO Stakeholders about funding this audit. In the mean time we can discuss which vendor the overall TC recommends, and what, if anything, we want to have changed with their proposals.
Thanks.
-mdg
From: Nicole Walker <nwalker@bishopfox.com>
Subject: RE: Index Data _ Bishop Fox Intro Call
Date: April 15, 2019 at 8:32:23 AM EDT
To: "mdg@indexdata.com" <mdg@indexdata.com>
Cc: Britt Gray <bgray@bishopfox.com>
Good morning Mike,I apologize for the delay in getting this quote to you. Below is the quote for both the Hybrid Application Assessment of the FOLIO Application and a Cloud Deployment Review. I have also attached our testing methodology for our Hybrid Application Assessment, a sample Comprehensive report, and the out Letter of Assessment FAQ.Hybrid Application Assessment – FOLIO – 111 hours
Cloud Deployment Review – 34 hoursRemediation – 12 hoursDeliverables:
- Status Updates
- Comprehensive Report
- Report Walkthrough
- Letter of Assessment
- Remediation Validation Report
Total Hours – 147 x $240 hourly rate = $37,680We are happy to offer Index Data a discounted rate of $240 per hour. This is a 13% discount off of our standard hourly rate of $275.Please feel free to reach out if you have any questions. I will follow up with a SOW.
To unsubscribe from this list please go to http://archives.simplelists.com
<BF - Hybrid Application Assessment Methodology - v7.pdf><BF - Acme Corporation - Sample Comprehensive Report.pdf><BF - Letter of Assessment FAQ.pdf><IndexData_NCCGroup_Folio Test_Proposal_v1.0.pdf><IndexData_NCCGroup_Folio Test_SOW_v1.0est.pdf>To unsubscribe from this list please go to http://archives.simplelists.com
To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=SeK0ArgpLZB2ijVHc1q8eivZ4CXy8J2w