2 556 3 - Support for Web Application Security Assessment (WASA)
Period: Delivery driven (start on 25 Aug. 2025).
Deadline: 11 Jul. 2025.
Duties/Roles:
1. Black box testing
Results are published on the dedicated portal when they are found – contractor must monitor the portal at least once a day. An email notification mechanism is available.
a. Once a new vulnerability is found, appropriate technical POCs must be contacted. Depending on the severity, it must be done immediately or on a weekly basis.
2. Grey box testing according to the planned schedule. Once the assessment is finished, an assessment report is released.
a. Contractor must review and validate the discovered vulnerabilities and their severity.
b. For each assessment report, prepare a remediation plan and provide it to the appropriate technical POC.
3. Progress on remediation plans for all sites must be verified at least once a week. Work might need to be performed in parallel for different sites. Remediation plans and dashboards should be updated as soon as there are updates from involved parties.
4. Work onsite (Mons Office) is required for frequent communication on Internal NATO Systems to enable checks.
5. Maintain a WASA inventory sheet with all stakeholders’ information for all sites.
6. Participate weekly in progress meetings with stakeholders (OCIO). Maintain dashboards and spreadsheets reflecting current remediation statuses for all active assessment campaigns.
7. Monthly, prepare presentations and briefs for the Enterprise Vulnerability Assessment Plan (EVAP), under OCIO supervision.
8. Track and trace vulnerabilities from other sources related to the scope of WASA campaigns.
9. Meetings with stakeholders in Brussels (max once per month).
Skills, Knowledge, Experience Required:
Mandatory:
* +5 years of recent experience in web applications assessment.
* General knowledge of cybersecurity principles, best practices, concepts, and technology.
* Knowledge of cybersecurity architectures: boundary protection, encryption, identity and access management, monitoring and detection, incident response, vulnerability assessments, and risk management.
* +3 years of experience testing and validating security requirements and use-cases.
* Familiarity with NATO security policies and directives (desirable).
* Knowledge of Web Application Security Assessment (WASA) environment.
* Ability to work independently and in teams.
* Strong ownership and motivation to complete tasks.
* Excellent communication and writing skills in English.
#J-18808-Ljbffr