Software Dependency Scanning Solution
DESCRIPTION: MARKET SURVEY AND BIDDERS LIST DEVELOPMENT - SOURCES SOUGHT REQUEST FOR SOFTWARE DEPENDENCY SCANNING SOLUTION. The U.S. Senate, Office of the Sergeant at Arms (SAA) is seeking information from the vendor community on a Software Dependency Scanning Solution to integrate with bimodal software development methodologies minimizing security vulnerabilities and increasing the speed of software release to the consumer.
Response to this SSN will assist the SAA in the review of current solutions in the marketplace for a dependency scanning solution. The SAA requests responses that detail solutions that: 1) meet or exceed the requirements set forth herein and 2) provide a full description of services offered, methods of implementation, and scope of the solution.
THIS IS A SOURCES SOUGHT NOTIFICATION ONLY. This SSN is solely for information and planning purposes and does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future. This SSN does not commit the SAA to contract for any supply or service whatsoever. Further, neither the Senate nor SAA seek proposals at this time; will not accept unsolicited proposals; will not pay for any information or administrative costs incurred in response to this SSN. All costs associated with responding to this SSN will be solely at the interested party's expense.
All requirements listed below are mandatory unless otherwise noted. All questions require a response. This synopsis contains the currently available information and is subject to change at any time.
REQUIREMENTS: The key functional requirements under consideration for a Software Dependency Scanning Solution must include, but are not limited to, the following:
• Ability to scan applications and their dependent libraries written using:
o Python/Django
o Java
o Visual Basic/C#/ASP/.Net
o JavaScript/Angular/jQuery/NodeJS
o PHP
• Ability to identify and provide mitigation tasks for known vulnerabilities;
• Ability to automatically update itself with common vulnerability exposure data feeds or national vulnerability database feeds;
• Ability to provide analytics through dashboards and generate reports;
• Ability to assign User security through role-based controls;
• Ability to integrate in a Tool Chain pipeline if needed.
• Software only solutions are preferred; and,
• Optional: Ability to integrate with a larger set of security tools that have SAST, DAST and Fuzzy testing capability.
RESPONSES: Responses to this SSN shall include a brief response of technical summary to each of the mandatory requirements listed above.
Software Dependency Scanning Solution responses must be in accordance with the following:
• Respondents must be the OEM provider/vendor. Responses submitted by resellers or third-party integrators will not be evaluated by the SAA.
• Vendor responses must be based on the existing product's or solution's current, out-of-the-box, configurable capabilities. The SAA will not evaluate or consider custom or uniquely customized products or solutions.
• The SAA will not evaluate or consider planned or future product enhancements when reviewing responses.
• Offerors of solutions selected to move to the second round of product evaluation by the SAA must be prepared to discuss in detail and demonstrate stated-capabilities relative to some or all listed requirements. Offerors will also need to participate in a 90-day software evaluation hosted in the SAA VMWare Infrastructure, RedHat Virtual infrastructure or OpenShift container platform with minimal vendor support.
In addition, submissions must include:
• Business information to include the following:
> A cover letter to include name of organization, street address, city, state, and zip code, point of contact (POC), telephone number, fax number, and email address.
The information contained in this notice will be the only information provided by the SAA during the Sources Sought process. All qualified sources should respond to this notice by submitting an information package in accordance with the instructions provided. Contractors responding to this notice and deemed qualified after participating in the 90-day software evaluation hosted by the SAA may be requested to submit a proposal in response to a solicitation.
INSTRUCTIONS: Responses to this Sources Sought Notice are due to the POC no later than 12:00 Noon on November 18, 2019 and shall be submitted electronically via email only to the attention of Holly A. McDonald at holly_mcdonald@saa.senate.gov. The subject line of the email message shall be: SSN 2020-S-0002 entitled "Software Dependency Scanning Solution".
No other method of transmittal will be accepted. The response shall not exceed twenty-five (25) pages. Unnecessarily elaborate submissions are discouraged. Pages over the page limitation may be discarded. Access by the SAA to information in any files attached to the response is the responsibility of the submitting party. Neither the SAA nor the Senate is responsible for any failure to access vendor's information.
THIS IS NOT A REQUEST FOR PROPOSAL. THIS NOTICE CONSTITUTES THE ENTIRE SOURCES SOUGHT NOTICE AND IS THE ONLY INFORMATION PROVIDED BY THE SAA OR SENATE. ANY REQUESTS FOR ADDITIONAL INFORMATION WILL NOT BE HONORED.
Holly McDonald, Procurement and Contracting Specialist, Email holly_mcdonald@saa.senate.gov
