Test and verify security

Ongoing testing of digital services

Carry out security testing using penetration testing and vulnerability assessments. This will address any vulnerabilities and verify security. They should be ongoing activities, not a one-time activity that occurs before production. Technologies that were secure when you first implemented them can become insecure with the publishing of a new vulnerability.

Penetration testing

Penetration testing (known as pen testing, or ethical hacking) is an authorised cyber-attack on a computer system to check how well it is protected against malicious attacks. 

You should do a penetration test of your service:  

  • before and after moving into production 
  • after any significant change 
  • in line with any major feature enhancements  
  • in line with configuration changes to a system, if it is public facing.  

Use a penetration tester who has recognised industry certifications. These include: 

  • offensive security certified professional (OSCP) 
  • offensive security wireless professional (OSWP) 
  • offensive security certified expert (OSCE) 
  • GIAC penetration tester (GPEN)  
  • CREST registered penetration tester. 

Vulnerability assessments

Vulnerability assessments use testing or scanning tools to identify security vulnerabilities in a system or environment. Vulnerability assessments will give an indication of the severity of the vulnerability and basic steps to fix them.  

You need to do ongoing vulnerability assessments regardless of changes to services. The barrier to doing this task is significantly lower than for a penetration test. A vulnerability assessment does not involve the exploitation of vulnerabilities for proof of concept. Skilled staff without any relevant industry certifications can do it. 

You should assign a risk rating and treatment owner for any vulnerabilities you identify. To establish risk ratings for vulnerabilities, refer to the Common Vulnerability Scoring System (CVSS). 

If you cannot mitigate vulnerabilities that you have rated as high or extreme, you must report them to Cyber Security NSW as per mandatory requirement 5.2 of the NSW Cyber Security Policy

Last updated