The binsec starts its binsec wiki. Divided into the categories “Hack & Attack” and “Defend”, articles, how-tos and best practices on technical IT security topics are published. The first wiki article published was: OpenVPN: configure 2FA
The “minimum security requirements for decentralized portals and registration authorities” for “internet-based vehicle registration (i-Kfz)” from the german Federal Motor Transport Authority (KBA) are extremely extensive. In addition to the architecture of the i-Kfz system, its interfaces and the security requirements derived from them, they also include requirements for conducting a penetration test.
To check the effectiveness of the implemented security controls, the KBA requires the implementation of the following as a penetration test:
All of the above tests are to be carried out as white box tests and the personal conducting the tests need to be qualified and independent.
A non-invasive vulnerability scan (defined test depth) with manual validation of the vulnerabilities is defined as an IS web check. The OWASP Top 10 should be checked and the corresponding modules of the IS web check should be carried out: “Module 1 – Vulnerability search”, “Module 2 – Vulnerability test”, “Module 3 – Logical errors/configuration errors” and “Module 4 – Exploits (optional) “. The test is to be carried out via the Internet and the filtering of security gateways is to be deactivated.
In the IS penetration test, the technical attack surface of an institution is examined from the outside. A technical security audit in combination with a non-invasive vulnerability scan is defined as test depth. In the scope, at least all network elements, security gateways, servers, web applications, relevant clients and infrastructure facilities must be checked, if technically possible and reasonable. The following modules are to be carried out: “Module 1 – conceptual weaknesses”, “Module 2 – implementation of hardening measures”, “Module 3 – known vulnerabilities” and “Module 4 – exploits (optional)”.
It should be mentioned here that experience has shown that the required depth of testing should be designed more as a non-invasive penetration test. The use of a typical automated vulnerability scanner is not technically sufficient to fullfill the requirements.
The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4.
These requirements are basically identical in both versions 3.2.1 and 4.0:
There are two topics where both standards diverge, while PCI 4.0 has the more mature version. So PCI 4.0 has a slightly different approach for its requirements on the application layer penetration test:
In PCI 4.0 the segmentation test also needs to include confirming the effectiveness of any use of isolation techniques for different security levels (see requirement 2.2.3).
Of course, the applied penetration testing approach needs to include fixing and re-testing any relevant vulnerabilities previously identified independently of the PCI standard’s version.
