About the project:

The goal of the project was to carry out, as an independent external auditor, specialized security and performance tests of the e-Zamówienia Platform. The contractor of the platform was Pentacomp Systemy Informatyczne S.A., the Contract Engineer: SOFTIQ Sp. z o. o.

The newly created platform supports the implementation of the public procurement process. It enables electronic communication between ordering parties and contractors. Registration on the platform is mandatory if the ordering party wants to publish the procedure plan and announcements in the Public Procurement Bulletin.

The purpose of the Security Audit was to identify vulnerabilities that constitute or may pose a threat to processed, transmitted and stored information and data, and to assess the performance and availability of the platform, as well as to identify potential single points of failure (SPOF). The assessment was based on performance and load tests.

The audit was intended to demonstrate the independence and scalability of individual platform, services in the context of their possible development by independent contractors.

Challenge:

The developed e-Zamówienia Platform aims at supporting the process of digitalization of public procurement in three main areas:

1. Providing a tool enabling the use of electronic means in communication between ordering parties and contractors, in accordance with the Public Procurement Law,
   in particular in the field of submitting offers, applications, declarations in public procurement proceedings and other documents,
2. Issuing the Public Procurement Bulletin in electronic form, used to publish announcements on public procurement matters,
3. Handling the obligation of contracting entities to submit annual reports on awarded contracts in electronic form.

The platform consists of a number of functionalities that have been grouped into logical modules and components covering the following functional areas.

Modules:

1.  Identity Module (MT)
2. Announcements Module (MO)
   • Preparation of announcements and proceedings plans
   • Public Procurement Bulletin (BZP)
3. Proceedings Module (MP)
   • Initiation of proceedings, updating of the proceedings status
   • Communication from stakeholders of the proceedings (questions/answers, invitations, explanations, appeals, notices)
4. Module of Offers/Applications (MOW)
   • Preparation and submission of offers/applications/competition entries
   • Storing and securing offers/applications/competition entries
   • Opening of offers/applications/competition entries
5. Monitoring and Analysis Module (MMiA)

Components supporting the implementation of e-services:

• Central Data Repository (CRD)
• Communication Component (KOM)
• Mailing system (SM)
• Notification coordinator (KP)
• Cryptographic Component (KK)
• Key Master (ZK)
• Log Manager (ZL)
• API Manager (ZA)
• Developer Portal (PD)
• e-Sender
• Administrative Component (KA)
• Educational Component (KE)
• Notification Handling System (SOZ)
• Access portal (front-end WEB GUI)

The Ordering Party provided TestArmy with the following documentation:

1. Technical Design (PT),
2. Technical and Post-Completion Documentation.

Process:

The security audit was carried out in 4 cycles, related to the increase in functionalities launched within the modules of the e-Zamówienia Platform.

The following phases of activities were carried out for each cycle:

1. Phase 1 – Test Planning
2. Phase 2 – analysis of the architecture in terms of security issues
3. Phase 3 – Penetration, Performance and Load Testing
4. Phase 4 – code review
5. Phase 5 – preparation of the final report on the tests performed (Phases 2-4)
6. Phase 6 – conducting re-tests after correcting critical errors identified in Phases 2 – 4.

We submitted working conclusions from the re-tests to the Ordering Party no later than on the day of completion of Phase 6, and the final report from the re-tests was provided by us within 1 business day since the testing of this Phase has been completed.

Results:

1. A review of the source code of the e-Zamówienia Platform was carried out in terms of security issues (with particular emphasis on the correctness of validation of data sent to the Platform).
2. Maps of the tested Platform were built independently, taking into account the number and type of network and server devices and the version of the services provided, according to Gray-Box test model.
3. The vulnerabilities of the network, server and application infrastructure used were examined both from outside and inside the network.
4. Appropriately selected attacks were carried out on the network, server and application infrastructure in the scope of:– Conducting security tests of the Platform by trying to break security from outside and inside the network, using methods currently used by “cybercriminals”, including backdoring, brute-force, breaking PSK keys, unraveling SSL/TLS transmissions, and others based on the Contractor’s experience.
   • Web application tests based on the OWASP (Open Web Applications Security Project) standard, in particular the OWASP Top 10 classification, as well as on the basis of the Contractor’s experience.
   • Platform security tests were carried out by attempting unauthorized access to resources, attempting unauthorized access to web applications [taking into account OWASP], attempting unauthorized access to servers, attempting unauthorized access to the network infrastructure, attempting unauthorized access to data, including modifying them.
   • Conducted security tests for business logic errors. All GUI forms and all REST API services of the Platform are to be tested.
   • Security tests of the e-Zamówienia Platform were carried out according to the security test plan and scenarios prepared by the Contractor, at the level of an unlogged and logged in user, including the escalation of privileges by using functionalities outside a given role (functionalities dedicated to other roles). The Ordering Party will provide 2 test user accounts from each user class, for a total of 6 accounts. All GUI forms and all REST API services of the Platform are to be tested.
5. Verification of the configuration and parameterization of the Platform infrastructure was carried out, with the assistance of the Platform Contractor, in order to identify vulnerabilities and errors, including an analysis of the configuration of database servers and web servers, the configuration of individual devices should be carried out for all devices (even if they have a similar configuration ).
6. Performance tests of the e-Zamówienia Platform were carried out according to the prepared plan and scenarios aimed at examining the actual performance of the Platform’s modules and components in the tested configuration and assessing the lack of resource leaks.
7. Load tests of the e-Zamówienia Platform were carried out according to the prepared plan and scenarios in order to determine the load boundary conditions for which the Platform no longer meets the assumed requirements for responsiveness and availability, and to conduct a scalability analysis.
8. Conducting tests to identify potential single points of failure (SPOF).
9. The impact of the developed operational procedures on the security of the Platform was verified.

A summary of the tests performed, a review of the source code of the e-Zamówienia Platform and a review of operational documentation in the form of a detailed report on the tests performed, detailing the tools and techniques used, was prepared in accordance with the classification of errors for all vulnerabilities and additionally for web applications according to the guidelines of OWASP standards.

The e-Zamówienia platform allows for the digitalization of the public procurement process. This would not be possible without ensuring adequate system performance and security. Projects like this demonstrate a responsible approach to building the state’s digital infrastructure.