Pen Testing setup

[dotloadmovie]

24th Jan update: All approved, costings sorted. Caroline must approve. @cyramic to obtain caroline's approval. Involve Jake too please :)

[dotloadmovie]

-what, precisely, they will be testing -how we sort interop with SSO for them if needed -presence of a suitable production URL -mobilisation time at the vendor end -... probably some other stuff I haven't thought of

[daniel-hutt]

Herts have asked for timelines and confirmation that any vulnerabilities will be rectified

[cyramic]

Pen testers have responded that we should only test the application when everything is fully up and running. My notes from our conversation are below:

I finally got through to Surecloud. Our previous contact left, and the one suggested to me after that also left so my messages were getting lost. Their suggestion was that the app sounds like it's relatively low-risk and suggested the following approach for our needs:

• Make sure all code is reviewed before it goes on the platform (obvious, I know)
• Use automated vulnerability checks on the setup (we use ones for docker containers, and one for github libraries). There were others he mentioned that I hadn't heard of, but I suspect they're commercial. I'll look into the ones he mentioned further just to be sure there isn't something there we could use in the mean time.
• He suggested sending him an HLD/LLD (high level diagram / low level diagram) of the service to get a better idea.
• Using AWS greatly lowered the risk in his eyes and he didn't seem concerned as the app seemed to be relatively straight-forward.

He saw the app we're developing as not having a lot of risk associated with it and suggested we wait until we have a version we would be happy to PEN test against. Then we can do the full tests at that point to minimise cost. Was there anything else we wanted to check? I'll be sending off the diagrams tomorrow once I give them a once-over just to make sure they're accurate.