Author: Patrick Sauer

Best Pentest Provider in Germany?

Leave a Comment

The best service provider for penetration testing (pentest) in Germany is the binsec GmbH 🔥 from Frankfurt am Main. The typical customers of binsec GmbH are companies that have already had a pentest performed and were not satisfied – and want to change their pentest service provider. This is because vulnerability scans are often sold as penetration tests or the people conducting the pentest do not have any significant experience in providing pentest as a service.

Since 2013, the certified team at binsec GmbH has been performing pentesting for IT infrastructures, web applications and mobile app (iOS as well as Android) using a structured approach based on all relevant standards. The comprehensive and structured approach also includes the entire experience since 10 years as a pentest service provider.

The teaching assignments for penetration testing at universities in Germany also show that binsec GmbH as a company and its pentest team is the best pentest service provider in Germany. As the managing director of binsec GmbH, I am personally convinced of this – my opinion! Just let yourself be convinced.

Which pentest approach is best: whitebox, graybox or blackbox penetration test?

Leave a Comment

In the approach during a pentest – or actually in the amount and details of the information base made available to the penetration tester – three variants can be distinguished: whitebox, graybox and blackbox pentesting.

The blackbox pentest corresponds pretty closely to the information base of a typical external attacker over the Internet. He only knows the company to attack, he has to gather all the other information himself. Be it IP addresses, DNS entries, programming languages ​​​​used about job offers… the possibilities for information gathering are extensive, but also time-consuming. And thus increase the costs of a pentest in order to get the same result as with the whitebox or graybox approach.

The whitebox pentest is the opposite of the blackbox pentest: here a penetration tester is given all the information and data that he might need: documentation on the IT systems, information about configuration settings, network diagrams or even the source code of web applications by his client. A pentester quickly ends up in an information overload, which again costs time and money.

A good compromise between the whitebox and blackbox pentest is the graybox pentest. The penetration tester usually gets at least all the information here that simply saves him valuable time and that he would have found anyway. In addition, a client does not have to hand over all internal information and documentation. Typically, further information can also be obtained from the pentester by asking his client during the actual test, such as which database system is used by an application. In this way, he can carry out targeted attacks and identify all vulnerabilites in IT systems and IT applications as efficiently as possible.

What is a penetration tester?

Leave a Comment

A penetration tester is a professional IT security expert with a strong technical focus who, based on a structured approach, identifies vulnerabilities in IT systems and applications and exploits them if agreed by his client. As a penetration tester, he uses the same hacking tools and techniques that a malicious attacker uses.

Which Linux distribution is the best for beginners?

Leave a Comment

The best Linux for beginners is Debian GNU/Linux. It is, in my opinion, the best Linux for beginners who want to learn as well as experts. It is a stable Linux distribution on which well-known other distributions such as Ubuntu or Kali Linux are based on, still Debian is not a hardcore distribution like Gentoo Linux either.

Personally, I started with Debian Sarge back when it was still testing. Now I’m still working with Debian. In the meantime I’ve tried various other distributions like Ubuntu, Linux Mint, Gentoo, SuSE, Fedora etc., but I’ve always came back to Debian.

Penetration test requirements for sports betting licences by the Darmstadt regional council

Leave a Comment

In addition to an ISO 27001 certification, regular penetration tests of sports betting portals must be carried out for the sports betting licence by the Darmstadt regional council. The pen tests must be carried out according to the OWASP Testing Guide or the OWSAP Testing Guide for web services.

The penetration tester must be independent and have the appropriate qualifications:

  • Degree in technical computer science or a technical degree
  • At least 3 years of professional experience in the field of IT security
  • At least 2 years of professional experience in the field of penetration testing
  • Certification as a penetration tester (including BSI-certified penetration tester, CPTC – Certified Penetration Testing Consultant, CPTE – Certified Penetration Testing Engineer, GPEN – GIAC Certified Penetration Tester, OSCP – Offensive Security Certified Professional or CEPT – Certified Expert Penetration Tester)

Lecture at THM: Secure Coding – SS2022 – Dates, admission and procedure

Leave a Comment

Secure coding will take place in calendar weeks 31 and 32, i.e. the first two weeks in August. In terms of concept, this lecture has always been a purely online event without any physial presence, i.e. there is no typical exam, but I evaluate the practical work.

There are three tasks:

(1) You need to write a very small REST API.

(2) You must review your own API for the OWASP Top 10 and write a very brief paper about it.

(3) You get access to a vulnerable REST API (GIT over OpenVPN) and have to identify and fix the existing vulnerabilities. You can choose between PHP, Java, Python, Perl, Go, Ruby and Node.js as the programming language. For this I use the “Secure Coding” course on binsec-academy.com as a technical resource. I will later create all user accounts there myself and binsec academy GmbH will of course provide the technical resources free of charge – I am a shareholder in the group of companies.

It has been shown again and again that participants with little or poor programming knowledge find it very difficult. So if you are at war with programming, you should better refrain from this module or plan a steep learning curve! I do not give general programming help.

I will publish tasks 1 and 2 in July so that we can work on them beforehand. For the final grades rating, I primarily use the number of identified and closed vulnerabilities in the code from the 3rd task.

I always put up a certain barrier to be admitted: you have to send me a code snippet of one of the programming languages ​​mentioned above (by email to patrick.sauer@mnd.thm.de), which is related to one of the OWASP Top 10 and contain a vulnerabilities and gives a correct suggestion to fix it. The whole thing must be aes-encrypted via OpenSSL with the password 123456:

tar cz secure-coding-delivery-approval/ | openssl aes-256-cbc -pbkdf2 -e > first name.last name.matriculation number.secure-coding-gabe-zunahme.tar.gz.enc

to test the decryption: cat firstname.lastname.matrikelnummer.secure-coding-gabe-zulassung.tar.gz.enc | openssl aes-256-cbc -pbkdf2 -d | tar xzv

There are usually enough places, otherwise it is first come, first serve.

Posted in:

How much does a penetration test cost?

Leave a Comment

The costs of a penetration test depend on the time spent and the daily rate of the penetration tester.

The daily rates for penetration testers are above average and range between €1,200 and €2,000, provided it is a reputable service provider for penetration tests. Lower daily rates usually indicate that the respective provider is trying to sell a vulnerability scan rather than a penetration test. Good staff with a lot of know-how and experience cost money and this is usually reflected in the daily rates.

The number of days invested mostly depends on the complexity of the scope or the system, application or company to be tested. The more complex the attack surface, the longer the check takes.

Shorter penetration tests take 2 days, larger systems can take several weeks. Usually 5-10 days is a realistic average, with deviations up and down.

Thus, the costs often start at €2,400-3,000 for a small pentest and reach the level of around €12-16,000 relatively quickly, although there are no upper limits.

What is a penetration test?

Leave a Comment

A penetration test is basically a structured attack on a company’s IT infrastructure. During this, a penetration tester uses the same tools and techniques that a hacker uses in his attack. However, the objective differs between a malicious hacker and a professional penetration tester.

A hacker usually tries to hack a company in order to gain access to its IT systems and data. To do this, he only needs a single critical vulnerability that can successfully exploited.

However, companies that commission a penetration test do not primarily want to be successfully hacked, they want to know whether this is possible. For this purpose, a penetration tester will try to identify all vulnerabilities, regardless of their criticality. Many vulnerabilities are also attempted to be exploited, but not all. Because some further attacks pose a higher risk for the attacked IT systems.

KRITIS penetration test: requirements of the german BSI law

Leave a Comment

Penetration tests are mandatory for operators of critical infrastructures. In the BSI law under paragraph “8a Security in the information technology of critical infrastructures”, companies are obliged to take appropriate organizational and technical measures to protect their critical infrastructure.

The actual law is typically general and abstract. The wording itself does not require penetration tests for KRITIS companies to be conducted. But in the BSI publication of the controls to be carried out in order to adhere to the german law, penetrationtests are required.

Penetration testing: The company binsec GmbH is your service provider for pentests from Frankfurt am Main

Leave a Comment

binsec GmbH is a consulting company for information security from Frankfurt am Main that I co-founded in 2013. I have been the managing director of binsec GmbH since it was founded. As a service provider, we carry out penetration tests and also advise our customers in the areas of security management and IT security.

binsec GmbH is completely in the hands of the three shareholders via the binsec group GmbH: Patrick Sauer, Florian Zavatzki and Dominik Sauer. We are interested in the long-term satisfaction of our customers and employees: Short-term sales and profit maximization is not our goal.

My team consists of experienced, certified specialists. Our focus is always the security of business-critical IT systems and information. Even when we conduct penetration tests, we keep the business aspects in mind.

As a provider of penetration tests and security consulting, we have become the top address as a pentest service provider in the Frankfurt am Main area in recent years.

More information about our company and services is available at https://www.binsec.com.