Specifications include, but are not limited to: Description of Scope of Work: BWC is looking to select a best-fit vendor to collaborate and assist with monthly application vulnerability scanning. This testing should include the following items: • Electronic application vulnerability scanning of all externally-facing IP addresses. This will include the following systems: o Current Production Ohio BWC Website o External SharePoint Security Testing o Externally-facing Web Services • This scanning must include and identify the following: o Application coding issues (including SQL injection, cross-site scripting, cross-site request forgery, etc.) o Configuration issues (including unnecessary or obsolete ports/protocols being used, etc.) • The vendor must use a reputable 3rd-party application vulnerability scanner, such as QualysGard, ImmuniWeb, Fortify, Veracode, etc. • The vendor must run the scans to identify issues, and then the vendor must make a best-faith effort to eliminate false-positive issues in the report, prior to giving it to BWC. • Results must be clearly communicated to BWC in an electronic report. The report must include the steps to reproduce each vulnerability. • All security testing efforts are to be done in a non-destructive manner with minimal impact to our customers and never should any confidential information be compromised or shared with another party.