Secure by Design

Do security testing

You need to check your technology or service is secure.


Do security testing in all phases of your project and when you discover new threats.

Start securely

Design your technology or service so that it is secure


Put best practices in place so that you do not have to fix issues later.


Depending on your context, consider things like:

  • assessing your threats
  • incorporating threat intelligence
  • using secure code libraries
  • meeting coding standards
  • securing your code repositories

Review your designs regularly, especially when you make changes or discover new threats.


Follow guidance on Secure by Design.

Follow National Cyber Security Centre (NCSC) guidance on secure development and deployment.

Security testing in Defence

You can do different kinds of security testing. Decide on the mix of approaches that is right for your technology or service.

Code reviews

You need to test your code.


This helps you:

  • find and fix security issues
  • meet coding best practices
  • improve the quality of your software

Make automated and manual tests part of your release process. For manual testing, you can use technical security teams or specialised security researchers.


Do code reviews during development and before committing new code.


Follow NCSC guidance on producing clean and maintainable code.

Vulnerability assessments

Consider using automated tools to find known security vulnerabilities.


Different types of scanners are available depending on what type of system you are testing, for example infrastructure or application scanners.


After you run automated tests, consider ask a security expert to check for vulnerabilities that are harder to find. If you do not have a security expert on your team, check guidance on involving the right people.


Do a vulnerability assessment before you release code. Consider doing a vulnerability assessment on every commit, using pipelines to ensure code quality.


Follow NCSC guidance on vulnerability tools and services.

Penetration testing

Depending on what you find in your vulnerability assessment, you might need to do penetration testing (pen testing). You should also consider doing a pen test before production deployment and after you release significant changes.


During a pen test, security experts try to discover vulnerabilities using common tools and techniques, often designed to achieve a specific goal. For example, to steal customer data or to modify sensitive information.


A typical pen test will produce a report detailing vulnerabilities discovered rated by severity, with a suggested course for how to fix it.


Consider using security experts in Defence or an external company. If you use an external company, they should be a verified supplier. Check the National Cyber Security Centre’s register.


Check GOV.UK guidance on vulnerability and penetration testing.

Bug bounties

After you have done other kinds of security testing, consider running a bug bounty.


This test brings in many ethical hackers to identify vulnerabilities in your system. They are usually given user credentials to simulate adversarial compromise, which forms the basis of most security incidents.


Bug bounties often find vulnerabilities that other approaches miss.


You can hold a bug bounty remotely or onsite to test systems that do not have internet access.

Red teaming

Consider a red team exercise if you would like to test the complete security posture of your system.


Red teaming involves skilled security experts focused not on identifying vulnerabilities, but exploiting any vulnerabilities that exist to break into your system.


It can include exploiting physical and human weaknesses, for example phishing.


A red team can be designed to happen without your team knowing. This shows how your team would respond to a real-world attack.


Red teaming is the pinnacle of the security testing toolset, and is only useful once as many of the previous tests have been complete. It is more appropriate for larger systems / platforms.

Share what you find

Whenever you do security testing, share what you find with your team and stakeholders. Do this even if you do not find any vulnerabilities. It gives stakeholders confidence that your technology or service is as secure as it can be.


Add vulnerabilities that you find to your project’s risk register. Include enough information for the team to decide how to mitigate risks. Make sure you track how vulnerabilities are being managed. This might be in a remediation action plan.

Ask for support

Before you ask for support, you need to:

  • follow Secure by Design guidance and recommendations
  • talk to your security experts
  • ask the virtual assistant ‘Alix’
  • talk to security software developers

Technical security teams

You can ask for support from a technical security team. Technical security teams are managed by the Joint Information Assurance Co-ordination Cell (JIACC).


On MODNET, search for ‘Joint Information Assurance Co-ordination Cell (JIACC)’.

Cyber Resilience Programme

If your project is a priority and considered high risk, you can ask for support from the Cyber Resilience Programme (CRP). They use external security experts for activities including:

  • bug bounties
  • red team events

On MODNET, send an email to UKStratComDD-IES-SI-CRP-VR

Cyber Security Advisory and Assurance Service (CySAAS)

Any project in Defence can get advice from the Cyber Security Advisory and Assurance Service (CySAAS) consultancy service.


For example, you have done a pen test but you have questions about the real-world impact of a specific issue.


On MODNET, search for 'CySAAS consultancy' on the Service Catalogue.


CySAAS can turn down requests for support that are considered the responsibility of project security officers.

Published January 2025