The UK public sector has a huge digital estate to manage, and it isn't easy. Many of you with responsibilities in this area have told us that you'd really like help with keeping on top of all your services and staying protected against common problems with the websites you manage. We listened. We did the research.
And so now we'd like to introduce you to Web Check — a free to use website configuration and vulnerability scanning service, available to all UK public sector organisations.
We've built up steadily during development and tested with users across government. So already, Web Check is robust and it:
- services over 300 users with a 'quiet'* package of scans
- scans more than 1,200 government sites every day
- has delivered more than 2,900 findings to our users
And, we are constantly expanding the range of vulnerabilities and misconfigurations on which Web Check can check and report.
"Web Check came about by listening to the experiences of local government with automated vulnerability scanning tools. We see Web Check helping system owners find and fix common issues; letting them focus on trickier issues that only people can find."
Chief Technology Officer, NCSC Digital Government
Who can use it
Web Check is now live and currently available to those who manage websites for UK public sector bodies including:
- local government
- emergency services — Police, Fire and Rescue Services, NHS Ambulance Services, HM Coastguard
- central government
- the National Health Service
- devolved administrations
- Crown dependencies
- British overseas territories
Of these, we think that local government and emergency services are particularly likely to benefit from using Web Check.
We will also look at opportunities to extend the service to the private sector in future.
What it does
First you create your own 'watch list' of website URLs you manage. Then Web Check runs a non-intrusive scan and reports its findings to you. You can share your URLs and findings with colleagues and annotate findings for future reference.
Web Check scans the URLs on your watch list and checks on whether or not your:
- user data is protected both in transit and in the user's web browser
- website is well engineered and modern technologies are in use to protect it, such as HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP)
- servers and their software are patched
Web Check does this on an ongoing basis, so it will inform you of new issues as they emerge and as new checks are added.
Web Check reports to you, breaking down information about each website into several groups of findings:
- positive — site configurations that conform to best practices
- informational — configurations that you could optimise, or information that you may find useful
- advisory — configuration problems that leave the site vulnerable
- urgent — serious configuration problems that you should fix without delay
Data from our trial users suggest that most urgent findings arise in sites that have misconfigured or outdated certificates (the data files that allow secure connections from a web server to a web browser). These issues can lead to insecure transactions and error messages, both of which harm the relationship between citizens and the public service they are using.
We aim to do more in this area, so that Web Check can help you set up and manage your certificates better.
"We use Web Check on new and existing URLs to check for common vulnerabilities and to ensure we have set sites up in line with current recommended practice. It gives peace of mind to know we will get notifications from the service if any future issues occur. If you are considering using this free service I would thoroughly recommend signing up."
Senior Project Manager, Local Authority