Skip to main content
The .gov.au means it’s official

Australian government websites always use a .gov.au domain. Before sharing sensitive information online, make sure you’re on a .gov.au site by inspecting your browser’s address (or 'location') bar.

This site is secure

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Penetration testing

What is penetration testing?

A penetration test (pen test) is a security assessment used to identify vulnerabilities that could compromise your website or web application.

Important: You must notify GovCMS before performing any penetration testing on your site.

Why conduct a pen test?

Penetration testing helps improve your website’s security by identifying:

  • Existing vulnerabilities
  • The risks associated with those vulnerabilities
  • Potential solutions to address them

Who should conduct a pen test?

Security is a shared responsibility. Pen testing is especially encouraged for:

  • PaaS customers, who are responsible for managing their own application security
  • SaaS customers, to verify that custom code or webforms haven’t introduced new vulnerabilities

GovCMS also regularly performs penetration testing on the core distributions and platform to ensure baseline security.

When should you perform a pen test?

GovCMS recommends conducting a penetration test:

  • Before launching a new site
  • After significant updates or changes to your site

Do you need to run a load test?

No. Load testing is not required.
The GovCMS platform includes a Content Delivery Network (CDN) and automatic scaling to handle high traffic and peak loads effectively.

How to notify GovCMS before testing

 To ensure your pen test does not trigger security alerts or cause service disruption, follow these steps:

  1. Raise a ticket via the GovCMS Service Desk
  2. You’ll receive an email with a link to a pen test request form
  3. GovCMS will review and confirm approval for your test

Note: Conducting a pen test without prior approval may be flagged as a real attack. This could result in your traffic being blocked and delays to your testing. 

After your test

Once your testing is complete, please share a copy of your report with GovCMS. Your findings contribute to the overall security of the GovCMS platform and help identify any areas for improvement.

 

Make the move to GovCMS

Contact us
Return focus to the top of the page