Problem:
There has been a Vulnerability discovered in Apache web servers,. The vulnerability is of an RCE type and may allow threat actors to compromise the servers and gain ROOT access. It has been a while since they last performed any security assessments on the environment hence they need a 3rd party as soon as possible.
They would need to go to RFP to find the best vendor for this project.
What are some of the parameters you would need to consider in order to write the RFP and choose the best vendor for the job? Points to consider are:
1. Type of assessment needed (PT/VA/Health checks)?
2. Black/White/Grey Box methodology?
3. What systems will you include in the test, or exclude?
4. Qualifications of the 3rd party?
5. Should you indicate budget limits?
6. How will you evaluate possible vendors?