Activities

Discovering vulnerabilities

This activity must be performed during the following phases:

Alpha Private beta Public beta and live

---

Your service's security depends on detecting and fixing vulnerabilities before exploitation.

Persistent adversaries are attacking digital projects and services at an ever-increasing pace. You need to identify and address weaknesses to strengthen your digital project's resilience against cyber-attacks.

Before discovering vulnerabilities, you must:

• define a project-level vulnerability management process
• understand the scope of your project
• understand and be familiar with the DfE standard vulnerability escalation process

When should this be done?

The process of discovering vulnerabilities should:

• begin during the system design phase, using documentation to identify potential vulnerabilities
• be performed during every phase of the delivery life cycle
• start no later than the alpha stage of delivery

Who should be involved in this?

During the design phase, your technical architects should work with security professionals to identify potential vulnerabilities in the design. This is often done through threat modelling workshops.

From the build phase onwards, development and DevOps teams should be responsible for discovering and correcting vulnerabilities using appropriate methods.

This may involve:

• seeking support from the Cyber and Information Security Division (CISD)
• implementing tools and technologies to detect vulnerabilities
• engaging third-party suppliers to undertake vulnerability scans or penetration tests

You should keep the project's Senior Responsible Officer (SRO) and service owner informed of the tests. You should make sure outputs are considered as part of risk management decisions.

Recommended approaches for detecting vulnerabilities

Teams should use a variety of tools and techniques to detect vulnerabilities across their design, code, and systems. Do not rely on a single approach.

These may include:

• threat modelling to identify vulnerabilities in system designs
• code scanning and peer reviews to identify vulnerabilities in your codebase
• vulnerability scanning, penetration testing, or IT health checks to identify system vulnerabilities.

Technical guidance for development and DevOps teams using DfE tools will be available soon.

Project teams should use these before deploying their own. Speak to the Cyber and Information Security Division (CISD) if you need support in using them.

You should define and communicate a clear schedule for these approaches. This should specify what is ongoing, periodic, or tied to delivery stage transitions.

You must document the outputs from any tools and techniques used and capture these in your project risk management processes. You should understand the severity of any vulnerabilities and make sure a risk-based decision on risk treatment is taken. You should use a risk register or risk tooling to support this.

You should inform your SRO and service owner of any vulnerabilities.

Further reading

• Discovering vulnerabilities - Government Security (Opens in new tab)
• Vulnerability management - NCSC Guidance (Opens in new tab)