Blog post

Web Check — helping you to secure your public sector websites

Created:  17 Jul 2017
Updated:  17 Jul 2017
Author:  Philip C
Web Check Findings example screen shot

The UK public sector has a huge digital estate to manage, and it isn't easy. Many of you with responsibilities in this area have told us that you'd really like help with keeping on top of all your services and staying protected against common problems with the websites you manage. We listened. We did the research. 

And so now we'd like to introduce you to Web Check — a free to use website configuration and vulnerability scanning service, available to all UK public sector organisations.

We've built up steadily during development and tested with users across government. So already, Web Check is robust and it:

  • services over 300 users with a 'quiet'* package of scans
  • scans more than 1,200 government sites every day
  • has delivered more than 2,900 findings to our users
     
Information
*The 'quiet' package makes fewer connections to a server than an average web user visiting a single page.

And, we are constantly expanding the range of vulnerabilities and misconfigurations on which Web Check can check and report.


"Web Check came about by listening to the experiences of local government with automated vulnerability scanning tools. We see Web Check helping system owners find and fix common issues; letting them focus on trickier issues that only people can find."

Chief Technology Officer, NCSC Digital Government


Who can use it

Web Check is now live and currently available to those who manage websites for UK public sector bodies including:

  • local government
  • emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
  • central government
  • the National Health Service
  • devolved administrations
  • Crown dependencies
  • British overseas territories

Of these, we think that local government and emergency services are particularly likely to benefit from using Web Check.

We will also look at opportunities to extend the service to the private sector in future.

What it does

First you create your own 'watch list' of website URLs you manage. Then Web Check runs a non-intrusive scan and reports its findings to you.  You can share your URLs and findings with colleagues and annotate findings for future reference.

Scanning

Web Check scans the URLs on your watch list and checks on whether or not your:

  • user data is protected both in transit and in the user's web browser
  • website is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP)
  • servers and their software are patched

Web Check does this on an ongoing basis, so it will inform you of new issues as they emerge and as new checks are added.

Reporting

Web Check reports to you, breaking down information about each website into several groups of findings:

  • positive — site configurations that conform to best practices
  • informational — configurations that you could optimise, or information that you may find useful
  • advisory — configuration problems that leave the site vulnerable
  • urgent — serious configuration problems that you should fix without delay
     
Focusing on your certificates

Data from our trial users suggest that most urgent findings arise in sites that have misconfigured or outdated certificates (the data files that allow secure connections from a web server to a web browser). These issues can lead to insecure transactions and error messages, both of which harm the relationship between citizens and the public service they are using.

We aim to do more in this area, so that Web Check can help you set up and manage your certificates better.


"We use Web Check on new and existing URLs to check for common vulnerabilities and to ensure we have set sites up in line with current recommended practice. It gives peace of mind to know we will get notifications from the service if any future issues occur. If you are considering using this free service I would thoroughly recommend signing up."

Senior Project Manager, Local Authority


How to get started with Web Check

If you're among those we mentioned (Who can use it), then go ahead and create an NCSC Signin account at www.webcheck.service.ncsc.gov.uk. You can request access from there.

17 comments

paul - 17 Jul 2017
we are eligible for this service, but, more and more, we are engaging with third parties that host services for us - as we don't directly manage those services (and they won't have a gov.uk domain), is it permitted to include them as sites to be scanned?
Web Check team - 28 Jul 2017
Paul, thanks for your enquiry. You can add domains to Web Check with a non gov suffix as long they host services that have a public sector function and you have permission to run our checks against them. If you need any help adding them you can contact us directly by choosing the "feedback" link from any page on the Web Check site.
David - 04 Aug 2017
We are a digital agency who develop sites and apps, as well as the middleware that powers them, for a range of public-sector clients, including the NHS. Are we able to access Web Check ourselves?
Chris - 14 Aug 2017
Can schools use the service?
Web Check team - 18 Aug 2017
Hi Chris. Thanks for your feedback and interest in Web Check. We can confirm that schools are able to use this service
Nil - 20 Sep 2017
Will any of the information contained within the service be accessible or monitored by the NCSC or other organisation?
Can I obtain further detail on the hosted location and security standard employed by the service?
Many thanks.
Web Check team - 09 Oct 2017
All of the information contained within the service will be handled in accordance with the privacy policy at https://www.ncsc.gov.uk/privacy-policy and the terms and conditions at https://www.ncsc.gov.uk/terms-and-conditions.
Mark Taylor - 25 Sep 2017
What is the scanning schedule for sites that are added? Do you scan once and then only again if new vulnerability alerts are released since that scan, or do you re-scan on a set period?
Also can you explain the "Lifespan" column please? What does the lifespan time refer to?

Thanks in advance,

Mark
Web Check team - 09 Oct 2017
The scanning schedule varies but defaults to every 24 hours. The lifespan column shows the amount of time that has elapsed since the finding was last detected
Buddy - 05 Oct 2017
Can regulated public utilities (Electricity, Gas, Water) use this function to check their public-facing websites?
Web Check team - 06 Oct 2017
Hi Buddy,

Regulated public utilities are not currently covered by the NCSC's terms and conditions and therefore, at this time, they cannot access Web Check.
Martin H. - 25 Oct 2017
Dear NCSC, you state "We will also look at opportunities to extend the service to the private sector in future." Can you say any more on this? Also internationally for other friendly countries CNI operators? Working with FCO and DIT this is an important topic for all. Happy to discuss..
nick smith - 31 Oct 2017
Hi Web Check Team

We are a major managed services who host multiple .gov customers (incl infrastructure and web sites) and have aligned our protective monitoring against the gpg13 framework. Would we be eligible for this service?
M - 14 Nov 2017
I am not responsible for my authority's (County Council) website but I have a cyber crime role within the business. Our IT functions are contracted out to a large outsourcing firm. Can I run the web check on our behalf so I can refer to the relevant teams (and potentially use the findings as a case study when working with partners) or does it need to be managed via the web team themselves?

Thanks
Web Check team - 16 Nov 2017
Thanks for the comment. You can run any public sector websites that you're responsible for through Web Check - or delegate the responsibility to your contractors.
Chris - 05 Dec 2017
We have a few public facing web pages /services from which we only allow user via HTTP (port 80) or are other ports required?

Does the service require additional access beyond basic web browsing to page?
Web Check team - 08 Dec 2017
Hi Chris. All that you need to add a url to Web Check is for it to be publicly available for browsing.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No