We are looking for assurance in the following two domains:
Solution Quality: Verify that the solution principles, architecture, design and technology is fit-for-purpose for the capabilities required of the platform. Verify that the quality approach used in the build and development supports appropriate quality objectives. Verify that (some or all) of the developed components have appropriate quality review executed on a periodic basis.
Solution Security: Verify that the solution principles, architecture, design and technology enable an appropriate level of security capabilities. Verify that the development approach used has appropriate security awareness and consideration. Verify that all necessary components are periodically scanned for vulnerabilities (both internal and external).
We are looking for an initial scan/discussion to verify the principles, architecture and design and then have a periodic review to ensure follow-up within the build. The periodic exam could happen annually or bi-annually, and ideally executed by software. We can do the first review soon and the first scan in October or November after the build is complete.
The technology stack of the solution to be reviewed is based on Azure infrastructure and the (micro)services are built with Java and C# on open source frameworks. The front end components are built with React. The external test surface will be these front end components (<20), associated external facing API's, and the Admin Console.
Our ideal would be to use one agency for this, however if necessary we could use two. Either way, the brand of the agencies is important to have our corporate customers accept the results as valid. The results need to be presented in two levels - one high level summary for (external) stakeholder use and another detailed feedback document with specific results and recommendations.