The market for pentesting providers is large. Too large. The gap between automated scans, generic reports, and truly in-depth penetration tests is significant. Choosing the right service provider ultimately determines whether you are just ticking compliance boxes or actually uncovering real security risks. This selection is intentionally subjective and handpicked. It is not based on … [Read more…]
OWASP ZAP is one of the most well-known tools in web pentesting. Sooner or later, most people come across it. In trainings, labs, or early hands-on experience, it is often one of the first tools used. In professional pentesting, however, it tends to play a smaller role. What is OWASP ZAP? OWASP ZAP is an … [Read more…]
In application security, two references appear particularly often: the OWASP Top 10 and the CWE Top 25 Most Dangerous Software Weaknesses. Both lists are frequently mentioned in security guidelines, training materials, and penetration testing reports and aim to highlight common security problems in software. At first glance, both lists appear to describe the same thing: … [Read more…]
The Penetration Testing Execution Standard (PTES) describes a structured methodology for conducting penetration tests. The goal of the standard is to define the typical project phases of a penetration test and thereby create a transparent process from planning to reporting the results. The standard emerged around 2010 as a community-driven initiative by security professionals. To … [Read more…]
TISAX (Trusted Information Security Assessment Exchange) is the industry-specific security standard of the automotive sector – developed by the VDA and operated by the ENX Association. It ensures that companies demonstrably meet a high level of information security and can reliably share this status with their partners. As part of TISAX, the regular execution of … [Read more…]
The new NIS2 Directive of the EU has been in force since early 2023. It no longer applies only to traditional critical infrastructure operators (KRITIS), but now covers a wide range of important entities, including: The NIS2 Directive does not explicitly mandate penetration testing, but it requires measures that are hardly feasible or verifiable without … [Read more…]
The specific personal data processed during a penetration test largely depends on the target of the test. In general, the following categories can be distinguished: 1. Customer Points of Contact There’s no way around it: the pentester needs contact persons. Typically, this involves processing names, job titles, business email addresses, and phone numbers — stored … [Read more…]
The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories. Within the software development process … [Read more…]
In Annex I, for “devices that incorporate electronic programmable systems and software that are devices in themselves”, the MDR requires verification and validation under point 17.2 that the product or software was developed according to the state of the art – from the perspective of the IT security: For devices that incorporate software or for … [Read more…]
Participating in the Microsoft 365 Certification App Compliance Program for Microsoft Teams applications, Sharepoint Apps/Add-ins, Office Add-ins and WebApps requires performing a penetration test. In the Initial Document Submission a company needs to submit supporting documentation and evidence. Besides other topics, a Penetration Testing Report is required. A penetration testing report completed within the last … [Read more…]
