How to do penetration tests
An approved third party should carry out tests through the National Cyber Security Centre (NCSC) CHECK scheme or a member of the CDIO Cyber Security Team can carry them out internally, depending on your requirements.
You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes.
A significant change could be when you:
- change a cloud service provider
- change stored data, for example if you introduce new data which can be classified as personal data under GDPR
- add a third-party partner, for example, a database processor or email provider (especially if the third-party partner is processing personal data)
- implement significant application changes or new features
Scope your test
An IT Health Check or security review can include:
- application penetration tests
- external network penetration tests
- server build reviews
- code reviews
- infrastructure-as-code reviews
- AWS configuration reviews
- red team engagements
- vulnerability scans
Before testing, you should define:
- the beginning and end test dates. This will be an agreement between the team and the tester(s) based on the size of the project, rather than dictated to them
- the areas you want the tester to target, for example, bypassing authentication
- what you should exclude, for example, third-party managed infrastructure
- exploits that are out of scope, such as DoS attacks
- any specific technical capabilities to allow third-party testers to complete testing, for example, experience working with AWS security groups
- the specific technical scope of the test including IP addresses, URLs and GitHub repositories
- technical documentation and tools that can assist with testing and understanding of the application, for example Swagger/Postman documentation for API tests
Schedule a test
To schedule a test, contact the IA team.
If you plan to test any application, you must contact the IA team at least 3 months in advance so they can organise the procurement for you.
If you are planning to ask the CDIO Cyber Security team to perform a test, you will need to enter the information listed in the scope your test section and the prepare for your test section into a Rules of Engagement document, where a scope can be agreed and signed off by both parties. As with the IA team, you should give at least 3 months’ notice to make sure you can schedule the test at a time that suits project timelines.
Prepare for your test
Before the test, you will be expected to share documentation with the testers, for example, up-to-date architecture diagrams. The documentation could also include information about the individual components of each application being tested.
You should run the tests on a separate test environment which replicates the behaviour of your live service.
To prepare your test environment you should:
- give the tester all the credentials, certificates and authentication they need to start immediately
- provide a technical person to contact in case the tester has any queries
- note down the IP addresses of the testers and if necessary, add those IP addresses to any allow lists, making sure to remove them when testing has finished
- create temporary credentials for testers (testers should provide their own SSH public keys)
- give the tester the privileges required for the test, such as sudo access where appropriate
- notify your service providers in advance, for example by emailing GOV.UK PaaS Support - note that in most cases AWS do not require advance permission for penetration tests on your applications
- give the tester a distribution list of approved report recipients
What to do after testing
After your test, you should meet with the IA team to discuss the test results. You can then prioritise work to mitigate any issues identified in the test and schedule a retest if needed.
Teams should work with the CDIO Cyber Security team, who can give advice, consult on fixing any issues and take appropriate further action when required.