I agree that between the two proposals, NCC is much more detailed and more closely aligned with our needs.  I’m a little surprised that neither proposal made references to OWASP top 10 though (but may be I’m dating myself).

 

If budget is a concern, we can also ask EPAM for their proposal – I’d expect it to be significantly less ($50/hour as opposed to $240/hr).  EPAM employs a team of security specialists and has a separate practice dedicated to conducting security audits.

 

 

From: <tech-council@ole-lists.openlibraryfoundation.org> on behalf of Mike Gorrell <mdg@indexdata.com>
Reply-To: "tech-council@ole-lists.openlibraryfoundation.org" <tech-council@ole-lists.openlibraryfoundation.org>
Date: Tuesday, April 23, 2019 at 8:11 AM
To: "tech-council@ole-lists.openlibraryfoundation.org" <tech-council@ole-lists.openlibraryfoundation.org>
Subject: Re: Security vendor for Audit

 

CAUTION: External E-mail

 

To Peter’s point - when I was talking with NCC they asked about budget - and I told them we didn’t have one - explained how funding requests are handled in FOLIO. That’s when I said something to the effect of “I imagine $30k would get approved relatively quickly but $120k would not”.

 

Their inclusion of that casual analysis doesn’t bother me. Helps provide context into how they think and would plan the engagement. 

 

I still like NCC.

 

-mdg

 



On Apr 22, 2019, at 4:03 PM, Tod Olson <tod@uchicago.edu> wrote:

 

I agree in liking NCC a bit more, their response seems more tailored to our specific request. That said, it's also interesting the sample report from Bishop Fox. We'd probably be happy with either, and I also lean toward NCC.

 

In the NCC SOW, item 5 says that we will provide a client for the in-scope web services, and if we don't that could change the SOW. I'm a little uncertain what this means practically, and that may be my inexperience with this sort of engagement. From the cover letter, it seems like they have a reasonable expectations about what they will need to do to test the APIs, but that may be wishful reading on my part. Is it worth clarifying whether we can provide such a client, or whether they know already what they may have to build?

 

-Tod 



On Apr 22, 2019, at 1:58 PM, Peter Murray <peter@indexdata.com> wrote:

 

It seems like NCC demonstrated a better awareness of what was needed of them, and as a whole I like their proposal better.  There is just a little sloppiness in their proposal that is raising red flags for me.  In addition to typos/grammatical errors, there is this paragraph on page 6 that I don't think was supposed to be in the version sent to us:

 

For the budget constraints the client provided (around $30k), I feel we can reasonably cover the "Securing Okapi" set of repos - they don't really have a test instance set up, so if we take 2d to spin up our own local copy of it all, that'd leave us 10d to test the web services of 94 APIs with ~ 38kloc Java code. We may need to spin up parts of their demo/reference UI to make it easier to use, but if so, those parts should be out of scope. 

 

Not sure that is enough to disqualify them; I'd need to hear more from Mike about his interactions with them.

 


Peter

On Apr 22, 2019, 1:37 PM -0400, Mike Gorrell <mdg@indexdata.com>, wrote:

Below and attached are the documents/quotes we received from the two security vendors that were solicited based on the OTS report (and whom OTS recommended). A 3rd vendor (Veracode) was explored, but were found to be more of a tools provider rather than a consultancy that could assess architectural aspect of FOLIO’s software.

 

My recommendation is to go with NCC. They were more responsive by far, and generally seemed more hungry for the deal. Technically both appeared to have sufficient expertise - and neither stood out from the other.

 

NCC quoted $32,400 for 14 person days of effort. Bishop Fox quoted $37,680 for 157 hours of effort (note the typo in their email - the numbers add to 157 and the price equates to 157). Since their quotes are generally in the same ballpark I will approach the FOLIO Stakeholders about funding this audit. In the mean time we can discuss which vendor the overall TC recommends, and what, if anything, we want to have changed with their proposals.

 

Thanks.

 

-mdg

 

From: Nicole Walker <nwalker@bishopfox.com>

Subject: RE: Index Data _ Bishop Fox Intro Call

Date: April 15, 2019 at 8:32:23 AM EDT

Cc: Britt Gray <bgray@bishopfox.com>

 

Good morning Mike, 

 

I apologize for the delay in getting this quote to you. Below is the quote for both the Hybrid Application Assessment of the FOLIO Application and a Cloud Deployment Review. I have also attached our testing methodology for our Hybrid Application Assessment, a sample Comprehensive report, and the out Letter of Assessment FAQ. 

 

Hybrid Application Assessment – FOLIO – 111 hours
Cloud Deployment Review – 34 hours

Remediation – 12 hours

Deliverables: 

  • Status Updates
  • Comprehensive Report
  • Report Walkthrough
  • Letter of Assessment
  • Remediation Validation Report

Total Hours – 147 x $240 hourly rate = $37,680

 

We are happy to offer Index Data a discounted rate of $240 per hour. This is a 13% discount off of our standard hourly rate of $275. 

 

Please feel free to reach out if you have any questions. I will follow up with a SOW.

Nicole Walker

ACCOUNT MANAGER

(404) 323-9177

www.bishopfox.com

 

 

 

 

 



To unsubscribe from this list please go to http://archives.simplelists.com

<BF - Hybrid Application Assessment Methodology - v7.pdf><BF - Acme Corporation - Sample Comprehensive Report.pdf><BF - Letter of Assessment FAQ.pdf><IndexData_NCCGroup_Folio Test_Proposal_v1.0.pdf><IndexData_NCCGroup_Folio Test_SOW_v1.0est.pdf>

To unsubscribe from this list please go to http://archives.simplelists.com

 

To unsubscribe from this list please go to http://archives.simplelists.com

 

To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=Vy4UmbCQg2YUuehuMGk9b9LQwA9fx5Pb