GCHQ's infosec crew plans to 'scale up' Web Check to improve uk.gov site security

Efforts to improve the UK.gov's secure server setup are being ramped up through an expansion of a scheme from the National Cyber Security Centre, the infosec folk at British crypto and intel agency GCHQ.

The web certificate set-up and encryption offered by UK government and agency websites can sometimes fall below best practice, as recent issues with the Driver and Vehicle Licensing Agency (DVLA) illustrate. Almost all central government websites have started to follow best practice and website security - while there's still plenty of room for improvement - normally achieves at least a passing grade. The picture with local government websites is far less rosy, with examples of serious web security fails in Birmingham, Wigan and elsewhere thick on the ground.

The improvement of UK government website security over the last year can be chalked up to the National Cyber Security Centre’s Web Check service, according to the UK government's lead cyber-security agency.

Web Check tests websites for security issues before reporting the findings in audits back to owners alongside advice on how to fix any problems identified. The service - available to all public sector organisations - uncovered 6,000 different issues across almost 8,000 different sites, including 2,178 certificate related issues, according to stats from the NCSC.

More than 4,000 such advisories have been produced since April 2017, leading to most issues being fixed within two days of being reported.

The NCSC said it wanted to “encourage all gov.uk domains to benefit from the easy-to-implement Web Check service”.

Dr Ian Levy, NCSC technical director, said: "We identified that resource strapped public sector organisations sometimes had security problems on their web properties so we built Web Check, a free service for public sector to help identify the most common issues and provide remediation advice.

"The plan for the coming year is to scale the service to the vast majority of public sector sites," he added.

Independent security expert Paul Moore questioned whether the current patchy security picture can be blamed on a lack of resources.

"The lack of subsequent & necessary checks *could* be blamed on a lack of resources, but the implementation failures demonstrate a lack of technical understanding which no amount of funding would resolve," Moore told El Reg. "It appears that unless NCSC carried out their (excellent) work, the majority of the .gov portfolio would be festooned with security errors."

Web Check users can also create a "watch list" of website URLs they manage. The service involves running a growing set of non-intrusive scans before reporting findings back to subscribers. Users can share URLs and findings with colleagues as well as annotating findings for their own future reference.

Web Check is part of Active Cyber Defence, launched last year as part of the National Cyber Security Strategy, a more comprehensive scheme that ultimately aims to thwart commodity cyber attacks.

Moore noted that although Web Check looks at the security headers of audited sites it doesn’t report on this metric back to site owners, possibly because security headers are a more complex metric than Qualys SSLLabs-style digital certificate setup and configuration checks. He described this approach as “disheartening”.

“Without the NCSC, the services which we all rely on would be substantially weaker and in some cases, completely unfit for purpose,” Moore said. “....There's clearly much more work to do.” ®