Penetration testing

We have been asked for ZAP or Burp penetration test scan report on the api.companieshouse.gov.uk endpoint.

Before embarking on the test, do you have policies relating to the use of penetration test tools or notifying you ahead of their use?

Thanks

Matthew,

We do have policies regarding the use of the tools and notifying us in advance. We will require: -

  • Justification for the testing.
  • Details and contacts of who is carrying out the testing and when it is being carried out.
  • Full technical details of testing, e.g. tools being used, source IP addresses etc.
  • Sign a non-disclosure agreement – To ensure that no information on any vulnerabilities/security issues are published.
  • CH to be supplied with a full copy of the report. We would insist that any vulnerabilities found are not exploited.
  • Assurances around not impacting any Companies House services.

Will private message you to continue the discussion.

Thanks,

Mark.

Hi Mark,

I have a similar query. My security team are asking for assurances over the security of the Companies House APIs which will lead to us needing to test.

Are you able to share the information relating to this original query back in 2015?

Thanks

Simon