In many current requests for proposals (RFPs) and tenders for penetration tests, explicit reference is made to “the BSI standard” or “the NIST standard.” At first glance, this suggests methodical maturity and clear quality requirements. In my view, however, this trend is not without its problems: both references are highly generic and cannot substitute a … [Read more…]
As part of the ISO 27001 certification process, auditors are increasingly asking to see a penetration test report. But where does this requirement come from if the word pentest or penetration test does not exist in the text of ISO 27001? ISO 27001 is the international standard for setting up and operating an ISMS (Information … [Read more…]
OWASP ZAP is one of the most well-known tools in web pentesting. Sooner or later, most people come across it. In trainings, labs, or early hands-on experience, it is often one of the first tools used. In professional pentesting, however, it tends to play a smaller role. What is OWASP ZAP? OWASP ZAP is an … [Read more…]
In application security, two references appear particularly often: the OWASP Top 10 and the CWE Top 25 Most Dangerous Software Weaknesses. Both lists are frequently mentioned in security guidelines, training materials, and penetration testing reports and aim to highlight common security problems in software. At first glance, both lists appear to describe the same thing: … [Read more…]
The Penetration Testing Execution Standard (PTES) describes a structured methodology for conducting penetration tests. The goal of the standard is to define the typical project phases of a penetration test and thereby create a transparent process from planning to reporting the results. The standard emerged around 2010 as a community-driven initiative by security professionals. To … [Read more…]
TISAX (Trusted Information Security Assessment Exchange) is the industry-specific security standard of the automotive sector – developed by the VDA and operated by the ENX Association. It ensures that companies demonstrably meet a high level of information security and can reliably share this status with their partners. As part of TISAX, the regular execution of … [Read more…]
The new NIS2 Directive of the EU has been in force since early 2023. It no longer applies only to traditional critical infrastructure operators (KRITIS), but now covers a wide range of important entities, including: The NIS2 Directive does not explicitly mandate penetration testing, but it requires measures that are hardly feasible or verifiable without … [Read more…]
The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished: 1. Customer Points of Contact There’s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers — stored … [Read more…]
The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories. Within the software development process … [Read more…]
In Annex I, for “devices that incorporate electronic programmable systems and software that are devices in themselves”, the MDR requires verification and validation under point 17.2 that the product or software was developed according to the state of the art – from the perspective of the IT security: For devices that incorporate software or for … [Read more…]
