Technology

Vulnerability and penetration testing

Give feedback about this page

From:
Technology community (backend development)

You must use penetration tests and vulnerability assessments on your service to make sure it鈥檚 secure.

Vulnerability assessments help you find potential weaknesses in your service. Penetration tests proactively attack your systems to find weaknesses and help you understand how easy they are to exploit.

You should carry out both frequently as you build, not as a one-off check, and follow the government approach from the discovery phase of your project.

You can also read the .

What to test

When you鈥檙e testing for vulnerabilities, your testing scope should be wide enough to include the whole system and not just the software involved.

For example, a wide testing scope could include:

  • the security of the place where you keep equipment
  • the interaction between an online system and a contact centre

Due to the complexity and cost involved in this, it should be done at an organisation rather than service level. Speak with your department鈥檚 security team to agree on the most efficient approach.

It鈥檚 important for the service to make sure that people can鈥檛 use offline information to exploit an online system. An example of this might involve getting a contact centre team to change a user鈥檚 email address, then using a forgotten password function to access that person鈥檚 account.

You must get explicit consent from any third-party supplier if you use their software and want to review it as part of your test. Check your legal contract to confirm you have consent.

When to test your service

Your team should regularly assess your service鈥檚 security, especially during major changes to your codebase (for example, when introducing a new dependency or integration).

Learn more about .

Working with third parties

You should use a third party to test your service before it moves into public beta or uses real user data. They can help you make sure that your internal testing is good enough, but you shouldn鈥檛 rely solely on third-party testing.

How to find a third party

If you choose to use a third party, you should use a or staff accredited to equivalent CHECK levels to carry out penetration testing.

You can also find certified companies through the or through the .

If your service handles data classified as SECRET or TOP SECRET, to find out if any special testing requirements are needed.

Testing third party systems or software

You must agree the details of any third-party penetration tests with your security and legal team, for example:

  • when the tests will happen
  • whether they should focus on staff-related vulnerability, as well as system vulnerabilities
  • whether you have permission from your third-party supplier to look at their systems or services

You might also choose to whitelist a group of the third party鈥檚 IP addresses. Marking them as trustworthy means you won鈥檛 mistake their work for a genuine malicious attack (unless the test is designed to test your reactive capabilities).

Your agreement with the third party should include confirmation that they鈥檙e not liable for any disruption to your service and will stop their work immediately if it does disrupt your service.

After the test, the third party should produce a report that explains how severe the weaknesses are and how easily they can be exploited. They might also provide recommendations on how to protect your service from malicious users.

Handling security reports

Whoever did the vulnerability assessment and penetration tests should produce a report after every round of tests to explain what they did and what they found. This should be treated as 鈥極FFICIAL-SENSITIVE鈥� and shared with the technical team, service owner and any senior managers that need to understand risks to your service.

The report summary should explain the risks in language that a non-technical audience can understand. The rest of the report should contain enough detail that your technical team can review and prioritise actions to fix any issues that have been found.

Building security capability in your team

You should aim to increase security understanding and capability in your team. Running vulnerability assessments and penetration tests yourself is cheaper and can be done more regularly than relying on a third party.

Your team could include experts such as ethical hackers, security engineers or penetration testers to help keep the service secure.

Find out .

Increasing automated testing

You should try to automate as much of your testing as possible to find basic vulnerabilities, such as features exposed to SQL injection.

There are several open source or commercials tools you can use to test the security of features, for example you can use:

  • or for static analysis
  • for input fuzz testing

You should also aim to use exploratory testing to in your service that could be exploited by more advanced attackers.

If you aren鈥檛 sure which tools to use or what to test, speak to a security expert in your organisation or a qualified third party.

Get testing advice

Read about or to get advice on information security.

If your tests find vulnerabilities that affect other services or organisations, contact their security lead or pass the information to the NCSC.

You may also find these guides useful:

From:
Technology community (backend development)
Last updated
5 months ago
Last update:

Integrated elements on Discovering vulnerabilities and Implementing a vulnerability management process.

  1. Added guidance on when to carry out penetration tests and how to work with third parties.

  2. Updated the list of CREST-certified companies you can hire to test your service.

  3. Guidance first published