Secure by Design

Do security testing

You need to check that your capability or service is secure.

Do security testing in all phases of your project and when you discover new threats.

Start securely

Design your capability or service so that it is secure. Put best practices in place so that you do not have to fix issues later. Consider things like:

  • your technical architecture
  • using secure code libraries
  • meeting coding standards

Review your designs regularly, especially when you make changes or discover new threats.

Security testing in Defence

You can do different kinds of security testing. Decide on the mix of approaches that is right for your capability or service.

Code reviews

You need to test your code. Make automated and manual tests part of your release process. Do code reviews during development and before committing new code.

Code reviews help you find and fix vulnerabilities. They also help you meet coding standards.

Vulnerability assessments

Use automated tools to pick up errors and vulnerable libraries. Examples of automated tools include Nessus, Rapid7 and Qualys.

After you run automated tests, ask a security expert to check for vulnerabilities that are harder to find. If you do not have a security expert on your team, check guidance on involving the right people.

Do a vulnerability assessment before you release code. Consider doing a vulnerability assessment on every commit, using pipelines to ensure code quality.

Penetration testing

Depending on what you find in your vulnerability assessment, you might need to do penetration testing (pen testing). You should also consider doing a pen test after you release significant changes.

During a pen test, security experts simulate a cyber attack on your capability or service. Using automated and manual techniques, they find vulnerabilities that attackers could exploit.

Ask your commercial team if you should use security experts in Defence or an external company. If you use an external company, they should be a verified supplier. Check the National Cyber Security Centre's register (opens in a new tab).

Check GOV.UK guidance on vulnerability and penetration testing (opens in a new tab).

Bug bounties

You can ask ethical hackers to try to exploit your capability or service over a period of time. The hackers are paid for each valid vulnerability that they find. Bug bounties often find vulnerabilities that other approaches miss.

Only use bug bounties after you have done other kinds of security testing. You can hold a bug bounty remotely or onsite to test systems that do not use the internet.

Vulnerability Disclosure Programmes

If your capability or service is online, consider running a Vulnerability Disclosure Programme (VDP). VDPs give ethical hackers a way to report vulnerabilities at any time.

A well-run VDP helps you identify vulnerabilities and mitigate them before they can be exploited.

The Ministry of Defence has a Vulnerability Rewards Programme for selected ethical hackers. To find out more, search for 'Vulnerability Rewards Programme' on MODNet.

Red teaming

Red teaming involves skilled, ethical hackers breaking into your capability or service. Their focus is not on identifying vulnerabilities, but rather breaking in however they can. This includes exploiting physical and human weaknesses, for example phishing.

Sometimes, red teaming happens without your team knowing. It tests how you respond to real world attacks.

Only use red teaming now and again, after you have done other kinds of security testing.

Share what you find

Whenever you do security testing, share what you find with your team and your stakeholders. Do this even if you find no vulnerabilities. It gives stakeholders confidence that your capability or service is as secure as it can be.

Add vulnerabilities that you find to your project's risk register. Include enough information for the team to decide how to mitigate risks. Make sure you track how vulnerabilities are being managed.

If you do not find any vulnerabilities, share this with stakeholders. It gives them confidence that your capability or service is as secure as it can be.

Ask for support

Before you ask for support, make sure your team has done a mix of security testing.

Technical security teams

If your capability or service is live, you can ask for support from a technical security team. Team members are often deployed and can test your capability or service in a real world environment.

Technical security teams are managed by the Joint Information Assurance Co-ordination Cell (JIACC).

On MODNET, search for 'JIACC'.

Cyber Resilience Programme

If your project is a priority and considered high risk, you can ask for support from the Cyber Resilience Programme (CRP). They use external security experts for activities including:

  • bug bounties
  • red team events
  • Vulnerability Disclosure Programmes (VDPs)

On MODNET, search for the 'Cyber Resilience Programme'.

Cyber Security Advisory and Assurance Service

Any project in Defence can get advice from the Cyber Security Advisory and Assurance Services (CySAAS) consultancy service.

For example, you have done a pen test but you have questions about the real world impact of a specific issue.

On MODNET, search for 'CySAAS consultancy'.

Tell us what guidance you need

This is the start of technical guidance for developers in Defence. Tell us what other guidance you need, get in touch.

Published August 2024