As part of the ISO 27001 certification process, auditors are increasingly asking to see a penetration test report. But where does this requirement come from if the word pentest or penetration test does not exist in the text of ISO 27001? ISO 27001 is the international standard for setting up and operating an ISMS (Information … [Read more…]
We’ve seen this moment before. When PHP took off, web development changed almost overnight. Suddenly, it felt like anyone could build a website. A bit of copy and paste, a few tutorials, cheap hosting and you were live. The barrier to entry dropped dramatically. Speed and innovation increased. The internet exploded. A lot of things … [Read more…]
OWASP ZAP is one of the most well-known tools in web pentesting. Sooner or later, most people come across it. In trainings, labs, or early hands-on experience, it is often one of the first tools used. In professional pentesting, however, it tends to play a smaller role. What is OWASP ZAP? OWASP ZAP is an … [Read more…]
In application security, two references appear particularly often: the OWASP Top 10 and the CWE Top 25 Most Dangerous Software Weaknesses. Both lists are frequently mentioned in security guidelines, training materials, and penetration testing reports and aim to highlight common security problems in software. At first glance, both lists appear to describe the same thing: … [Read more…]
The Penetration Testing Execution Standard (PTES) describes a structured methodology for conducting penetration tests. The goal of the standard is to define the typical project phases of a penetration test and thereby create a transparent process from planning to reporting the results. The standard emerged around 2010 as a community-driven initiative by security professionals. To … [Read more…]
Every few weeks, someone asks me the same question: “What do you actually find in a typical web penetration test?” Instead of answering anecdotally, I pulled the aggregated data from the last 12 months of web application tests (including APIs) performed by binsec GmbH. The result is the graphic below – and it reflects the … [Read more…]
TISAX (Trusted Information Security Assessment Exchange) is the industry-specific security standard of the automotive sector – developed by the VDA and operated by the ENX Association. It ensures that companies demonstrably meet a high level of information security and can reliably share this status with their partners. As part of TISAX, the regular execution of … [Read more…]
The new NIS2 Directive of the EU has been in force since early 2023. It no longer applies only to traditional critical infrastructure operators (KRITIS), but now covers a wide range of important entities, including: The NIS2 Directive does not explicitly mandate penetration testing, but it requires measures that are hardly feasible or verifiable without … [Read more…]
The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished: 1. Customer Points of Contact There’s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers — stored … [Read more…]
On 11th of February 2025 binsec GmbH received an “Invitation to Tender With Emirates Group” from vendor.registration@theemirategroup.com. This alleged tender is a case of targeted Advance Fee Fraud. I explicitly warn against responding to emails from this domain or making any payments. This is a deceptive scam that misappropriates the identity of the legitimate Emirates … [Read more…]
