How to do penetration tests
This document is current until 1 September 2018
Tests should be carried out by an approved third party through the National Cyber Security Centre (NCSC) CHECK scheme or internally by a member of the GDS Cyber Security Team.
You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes.
A significant change could be when you:
- change a cloud service provider
- change stored data, for example if you introduce new data which can be classified as personally identifiable information (PII)
- add a third-party partner, for example, a database processor or email provider (especially if the third-party partner is processing PII)
Scope your test
Before testing you should define:
- the beginning and end test dates
- the areas you want the tester to target, for example bypassing authentication
- what should be excluded, for example third party managed infrastructure
- any specific technical capabilities to allow third-party testers to complete testing, for example experience working with AWS security groups
Prepare for your test
Before the test you will be expected to share documentation with the testers, for example up to date architecture diagrams. The documentation could also include information about the individual components of each application being tested.
You should run the tests on a separate test environment which replicates the behaviour of your live service.
To prepare your test environment you should:
- create temporary credentials for testers (testers should provide their own SSH public keys)
- notify your service providers in advance, for example by completing the AWS Penetration Testing request form or emailing GOV.UK PaaS Support
What to do after testing
After your test you should meet with the IA team to discuss the test results. You can then prioritise work to mitigate any issues identified in the test and schedule a retest if needed.
Schedule a test
To schedule a test contact the IA team.
If you plan to test with a third-party, you must contact the IA team at least 3 months in advance so they can organise the procurement for you.