The “minimum security requirements for decentralized portals and registration authorities” for “internet-based vehicle registration (i-Kfz)” from the german Federal Motor Transport Authority (KBA) are extremely extensive. In addition to the architecture of the i-Kfz system, its interfaces and the security requirements derived from them, they also include requirements for conducting a penetration test.
To check the effectiveness of the implemented security controls, the KBA requires the implementation of the following as a penetration test:
- IS short revision (if no ISO 27001/IT basic protection certification available)
- IS web check
- IS penetration test
All of the above tests are to be carried out as white box tests and the personal conducting the tests need to be qualified and independent.
A non-invasive vulnerability scan (defined test depth) with manual validation of the vulnerabilities is defined as an IS web check. The OWASP Top 10 should be checked and the corresponding modules of the IS web check should be carried out: “Module 1 – Vulnerability search”, “Module 2 – Vulnerability test”, “Module 3 – Logical errors/configuration errors” and “Module 4 – Exploits (optional) “. The test is to be carried out via the Internet and the filtering of security gateways is to be deactivated.
In the IS penetration test, the technical attack surface of an institution is examined from the outside. A technical security audit in combination with a non-invasive vulnerability scan is defined as test depth. In the scope, at least all network elements, security gateways, servers, web applications, relevant clients and infrastructure facilities must be checked, if technically possible and reasonable. The following modules are to be carried out: “Module 1 – conceptual weaknesses”, “Module 2 – implementation of hardening measures”, “Module 3 – known vulnerabilities” and “Module 4 – exploits (optional)”.
It should be mentioned here that experience has shown that the required depth of testing should be designed more as a non-invasive penetration test. The use of a typical automated vulnerability scanner is not technically sufficient to fullfill the requirements.