Security testing on the productive AGOV environment
AGOV is being tested for vulnerabilities by means of penetration testing and a bug bounty programme. A login procedure must be very secure, and the security aspects lie in the AGOV software, the operating platform, including the database, and the network connection. For this reason, security tests must be carried out on the whole system, preferably the productive version. The Federal Chancellery has commissioned the Federal Office for Defence Procurement, armasuisse, to perform penetration testing. The armasuisse specialists attempt to carry out unauthorised transactions on AGOV; they have detailed knowledge, including the source code. The Federal Office for Cyber Security runs a bug bounty programme, which is also being used to check AGOV. This involves the use of ethical hackers, who simulate attacks without being party to system details. The ethical hackers receive a reward (bounty) for each vulnerability they report. Any non-critical vulnerabilities that are detected are remedied within a few days, while critical vulnerabilities are rectified the same day.
