How to do penetration tests
An approved third party should carry out tests through the National Cyber Security Centre (NCSC) CHECK scheme or a member of the GDS Cyber Security Team can carry them out internally, depending on your requirements.
You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes.
A significant change could be when you:
- change a cloud service provider
- change stored data, for example if you introduce new data which can be classified as personal data under GDPR
- add a third-party partner, for example, a database processor or email provider (especially if the third-party partner is processing personal data)
- implement significant application changes or new features
Scope your test
An IT Health Check or security review can include:
- application penetration tests
- external network penetration tests
- server build reviews
- code reviews
- social engineering
- red team engagements
Before testing, you should define:
- the beginning and end test dates. This will be an agreement between the team and the tester(s) based on the size of the project, rather than dictated to them
- the areas you want the tester to target, for example, bypassing authentication
- what you should exclude, for example, third-party managed infrastructure
- exploits that are out of scope, such as DoS attacks
- any specific technical capabilities to allow third-party testers to complete testing, for example, experience working with AWS security groups
- the specific technical scope of the test including IP addresses, URLs and GitHub repositories
- technical documentation and tools that can assist with testing and understanding of the application, for example Swagger/Postman documentation for API tests
Schedule a test
To schedule a test, contact the IA team.
If you plan to test any application, you must contact the IA team at least 3 months in advance so they can organise the procurement for you.
Prepare for your test
Before the test, you will be expected to share documentation with the testers, for example, up-to-date architecture diagrams. The documentation could also include information about the individual components of each application being tested.
You should run the tests on a separate test environment which replicates the behaviour of your live service.
To prepare your test environment you should:
- give the tester all the credentials, certificates and authentication they need to start immediately
- provide a technical person to contact in case the tester has any queries
- create temporary credentials for testers (testers should provide their own SSH public keys)
- give the tester the privileges required for the test, such as sudo access where appropriate
- notify your service providers in advance, for example by emailing GOV.UK PaaS Support
- give the tester a distribution list of approved report recipients
What to do after testing
After your test, you should meet with the IA team to discuss the test results. You can then prioritise work to mitigate any issues identified in the test and schedule a retest if needed.
Teams should work with the Cyber Security team, who can give advice, fix any issues and take appropriate further action when required.