Transport for London (TfL), the local government body responsible for billions of journeys annually across London, is seeking a partner to help it deliver a pan-TfL penetration testing and IT health check service across its sprawling estate.

Hinting that its existing cybersecurity team, the TfL Cyber Security and Incident Response Team (CSIRT), is spread thin, TfL said CSIRT is often engaged too late within the lifecycle of a project that needs a pen test, causing project delays.

A pen test is defined by the NCSC as “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. In short, it’s a simulated attack, designed to shore up an organisation’s security.

TfL penetration testing

TfL Penetration Testing

Transport for London wrote on a European tenders page: “There are varying requirements for various business units and as such penetration testing can be split into distinct areas. These engagements can be via, large contracts with single providers or smaller contracts with companies engaged through project activity.”

See also: The Bug Bounty Bonanza

The company added: “In many cases… CSIRT are engaged late within the lifecycle of a project which requires a penetration test. When CSIRT are engaged after the application/system has gone live or been procured, and there has not been an independent penetration test, the project cannot go-live therefore delaying the project.”

TfL concluded: “Issues are also encountered when projects engage companies without determining the scope/methodology to address specific risks to TfL. This lack of scoping potentially leads to a lower quality service provided to TfL, delaying the overall project and increasing the overall project cost due to re testing/independent verification.”

New Pen Testing Framework Needed

TfL wants to “create a framework to address many of these issues” and will host a series of market engagement events through till November 2018 at which “participating organisations will be engaged to elaborate upon their thinking.”

Charl van der Walt, Chief Security Strategy Officer at SensePost, told Computer Business Review: “I find TfL’s approach to this fascinating. I haven’t seen a security challenge tackled through open engagement like this before. To me it speaks to maturity in their thinking and work which is pretty uncommon.

He added: “I think the challenges and frustrations they’re highlighting are pretty universal however, though many businesses continue to use security testing in an ad-hoc and reactive way and therefore lose much if not all the benefit it promises. We work with some customers who release code multiple times a day and therefore need to think very hard about how security validation is applied in a meaningful way. Many companies, and indeed many testing vendors, still have no idea how to implement testing in that kind of environment.”

He concluded: “I would imagine that the framework they’re hoping for would have to consider a combination of static code analysis, external scanning, red teaming and bug bounties. Most of these are quite standard and easy to define and implement, but the integration of testing early into the development lifecycle, especially in a dynamic environment, is harder and requires fresh perspectives that many companies and vendors still haven’t mastered.”

transportTfL is responsible for Crossrail, the tube and “surface transport” across London. The latter includes buses (which last year supported 2.24 billion journeys across the capital), trams, river services, cycling, roads and more.

The organisation drives over 85 percent of its revenue from passenger income and last year was forced to tighten its belt [pdf] as it faced its first financial year without a direct operational grant from the government, meaning the loss of more than £700 million in funding. TfL has “consolidated” head office accommodation as a result, vacating older buildings and co-locating staff to a new hub in Stratford.