Home > Articles > Penetration Testing Under UK Law

Penetration Testing Under UK Law

Articles | 17 April, 2018 | 5

When penetration testing is conducted within the UK, there are a number of laws that govern the activities that form part of a penetration test.

For the majority of tests, these laws include the following:

In order to ensure that penetration testing is conducted in line with UK law and also to ensure that the test is conducted as efficiently as possible, a testing consent form must always be used to capture the exact scope of the test and provides those responsible for an organisation’s infrastructure with a means of providing their consent.

Typically, a testing consent form will capture the following information:

Name & Position of the individual who is providing their consent
Authorised Testing Period – both the date range and hours that testing is permitted
Contact information for members of technical staff, who may provide assistance during the test
IP addresses or URL that are in scope of testing
Exclusions to certain hosts, services or areas within applications
Credentials that may be required as part of authenticated application testing

Consent forms should always be signed by someone who is in a position of legal authority within an organisation (for example one of the company directors), in order to indemnify the testing company (and the individuals performing the test) from all applicable laws for the duration of the test. It is important that consent is also obtained from any owners of 3rd party hosting environments or equipment, which may also come under the scope of testing.

At SecureTeam, no testing activities are ever performed until a fully-completed and signed consent form has been returned by our customers. This ensures that we remain compliant with the relevant UK laws and that the scope of testing is fully understood by both our client and the consultants who will be conducting the test.

Lastly, due to a completed testing consent form containing potentially sensitive information, it should be handled in accordance with the client and testing organisation’s data handling procedures.

how to, penetration testing, UK Law, vulnerability management

Log4Shell (still) actively exploited on VMware Systems

By Mark Faithfull

The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly knownRead more
How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

By Mark Faithfull

First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds,Read more
CISA Warn of 40 New Actively Exploited Cybersecurity Vulnerabilities This Month So Far

By Mark Faithfull

Last week saw the addition of 39 known exploited cybersecurity vulnerabilities to the CISA catalogue, bringing the total added in June so far to 40. The Cybersecurity and Infrastructure Security Agency (CISA), a branch ofRead more
10 Common Security Weaknesses and How To Defend Against Them

By Mark Faithfull

The mistakes we make and how to fix them – a new report co-authored by the NCSC reveals the 10 most common security weaknesses exploited by hackers. A joint security alert from the National CyberRead more
Phishing Report 2022: Which Individuals Are Most at Risk

By Akhlaq Rahman

In 2022 phishing will be bigger than it ever has been, with sophisticated new methods meaning that an increasing number of people are falling for attackers’ tricks, regardless of their tech literacy. Since May 2021,Read more