Answers and Solutions ltd

Pen Testing. A PenTest service for Cloud Apps and Website hosting

This is a "ethical hacking" service. The dark web is continuously indexing websites with vulnerabilities, looking to steal data etc. These lists are shared. This service scans your web-facing cloud system for weaknesses and reports your risk level. It won't fix the problems, but allows you to make informed decisions.

Features

• This service attempts to hack your website using known methods.
• 100% Cloud Service sees your website as a hacker does
• ...and you didn't think 'Surname' was an invitation for malicious_code.
• Check SQL injection, Cross Site scripting and more.
• Several service levels at differing price points.
• Choose from 'point_in_time' scan or periodic scans.
• Check unkown and risky WordPress Plugins and data-driven apps.
• Option for 1st and 2nd Opinions PenTest using multiple examiners.

Benefits

• Understand the existing risk in legacy cloud systems.
• Demonstrates that you undertook due dilligence.
• If your IT is insecure, how insure is that insecurity.
• Psychological benefits - Tells your suppliers you are security aware.
• Provides useful insights when engaging with suppliers.
• Provides useful insight for discussing requirements with Budget Holders.
• Reduces Ransomware infestation risk. Reduce data corruption risk
• Reduces data theft risk. Reduces other GDPR risks

£600 to £2,000 a person a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Christopher.Wainwright@letsdiscuss.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

403775749752023

Contact

Christopher Wainwright
02920733722
Christopher.Wainwright@letsdiscuss.co.uk

Planning

• Planning service: Yes
• How the planning service works: This service runs remotely. It is Cloud based and intended for cloud services. That said, DR facilities need to be in place (we are trying to break your site after all). An onsite consultation will discuss the approach, what will be done and when.; ; The biggest risk comes not from our hosting platform but from software selected and installed by buyers. Often software is built using 'lego brick' modules containing unused legacy code which forms the vulnerabilities. PenTesting is part of a security approach to expose risk but doesn't in-of-itself prevent a site from being hacked. ; ; Software remediation can only be offered by the software house creating the product. Our deliverable will be a list of issues. Actions will vary according to the feasibility of remediation, implications of application replacement or cessation. Other mitigating measures may be available. It is possible the risk is worth accepting, you will have documented what the risk(s) were, the implications of a breach and reasons that the mitigating actions chosen were taken.; ; It must be remembered that the purpose of Pen-Testing is to find issues, not to fix faulty code. Furthermore, new exploits are continually being discovered, so its an 'on the day' examination.
• Planning service works with specific services: Yes
• Hosting or software services the planning service works with:
  • This service is for our Web and VPS hosting services
  • This service is detailed on our software service descriptions
  • This service might be available for inspecting other services

Training

• Training service provided: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: Pen Testing is recommended as part of the security review required when migrating a service.
• Setup or migration service is for specific cloud services: Yes
• List of supported services: Transfer into our cloud hosting offering.

Quality assurance and performance testing

• Quality assurance and performance testing service: Yes
• How the quality assurance and performance testing works: This service is designed to allow your buyers undertake quality assurance of any data driven cloud app or other website product accessed via an internet browser. ; ; Is the service is on G-Cloud, it can be QA'd with this service.

Security testing

• Security services: Yes
• Security services type:
  • Security risk management
  • Security testing
  • Security audit services
  • Other
• Other security services: PenTest capability for people we host content for.
• Certified security testers: Yes
• Security testing certifications: Other
• Other security testing certifications:
  • Tools built by ITSec Companies employing CREST and CHECK Consultants.
  • CREST and CHECK certify people, not tools. This allows skilled
  • IT Professional to Submit infrastructre to Rigourous CREST standard PenTesting.

Ongoing support

• Ongoing support service: Yes
• Types of service supported: Hosting or software provided by your organisation
• How the support service works: We provide training for the Cloud software and hosting solutions we offer. This can be online or onsite.

Service scope

• Service constraints: PenTesting is looking for illegal "back doors", it does not protect organisations against internal staff misusing privileges, the illegal downloading of data [if there job provides such access] or otherwise disclosing security credentials to 3rd parties.; ; The service is not suitable for testing "On-Prem" products or services not visible from the Internet.; ; Other constraint exist but cannot be placed on public facing websites such as G-Cloud. These can be discussed privately.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Aim is for same day response, but we with a 48hr SLA.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Support levels: This will be determined according to needs identified. The service is a set examination on an agreed day with a report issued thereafter. The service can include an onsite review of the report at the buyers offices.

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Various organisations according to the needs identified

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: See Q3
• ISO/IEC 27001 accreditation date: See Q3
• What the ISO/IEC 27001 doesn’t cover: This particular service is supplier-certified. Our technical staff use an advanced PenTesting system which we licence on a volume-usage basis. This is covered by their 27001 certifications. Our system looks at the internet-facing security risks and not your department's non-internet assets and internal security. If on-site pentests are required we can only provide after discussing scope. We incorporate it as an option in all our offerings, or as a standalone service. certification is revisited after each deployment. This entry is for the service as a standalone service. Further certification details available on request
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Worldpay
• PCI DSS accreditation date: 04/06/2021
• What the PCI DSS doesn’t cover: PCI DSS covers items in scope for Credit Card Processing. Other non CC aspects were/are excluded from scope.
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Our services help climate change by reducing and where appropriate, reducing or even eliminating the volume of home-office commuting necessary. Our data-centres are powered by suppliers who use renewable energy.

  Covid-19 recovery

  Large in-person meetings by people traveling long distances carries a high risk of spreading Covid-19. Through digital communications, our services are helping towards the recovery through reducing mixing between widely spaced geographical locations.

  Tackling economic inequality

  We encourage our staff to do pro-bono work for UK-based charities because it allows them to assume high levels of responsibility and thus gain experience not easily obtained in a high-consequence workplace. Staff who are undertaking such activities are still paid a salary; this has multiple benefits. It benefits the people who use the services of the charity being supported. It also benefits the individual who can strengthen their skills in a safe environment.; ; We also employ people in the regions of the UK still affected by the post-industrial economies. We are able to redistribute economic activity and thus enhance the economic well-being of people in these economically disadvantaged areas.; ; We actively look for SME sized organisations when seeking suppliers and sub-contractors because they offer better value for money, and are usually staffed by highly motivated individuals. Contracts awarded to Answers and Solutions will help the UK Government in its drive towards its leveling up agenda.

  Equal opportunity

  Answers and Solutions are committed to equal opportunities and do not discriminate in any way. We provide opportunities for people whose family commitments make it easier for them to fit their work duties around family duties through not prescribing fixed working hours; we work to goals achieved and not the number of hours spent watching the clock. We allow staff to take extended time off during school holidays or when other caring duties require that.

  Wellbeing

  Self-fulfilled individuals will always make good employees, good employees make for conscientious staff, and that is always good for a Buyer.; ; We encourage al of our staff to develop their skills and stretch their abilities. We encourage our staff to do pro-bono work for UK based charities because it allows them to assume high levels of responsibility and thus gain experience not easily obtained in a high-consequence workplace. We pay our staff while they do such work.

Pricing

• Price: £600 to £2,000 a person a day
• Discount for educational organisations: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Christopher.Wainwright@letsdiscuss.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.