You are looking for a free online tool, that checks and test the ssl/tls configuration on a specific custom port, alternative to 443? Then checkout the binsec.tool SSLCheck – there you can specify the port that should be tested, like 8443. The SSLScan fo binsec.tool will give you an overview over the protocols and ciphers of the TLS configuration and checks the level of security. It even supports testing StartTLS for SMTP, IMAP and LDAP.
Anyone looking for a new IT corporate design with a great logo? I may be able to get you a discount due to personal connections to the company Reuning GmbH. Contact me, if interested.
WebCompScan from binsec.tools enables you to identify the technologies used on websites and check whether they are outdated or vulnerable.
The technologies that the WebCompScan tool can detect include CMS systems, web servers, programming languages, JavaScript libraries, and also payment methods offered.
To detect the technologies, it uses open source databases with regex patterns. The website to be checked is automatically opend up in a browser and the patterns are used to check whether the various components of the website contain indications of known technologies. In addition to HTTP headers and the HTML source code of the website, the Document Object Model (DOM) and the JavaScript variables are also analyzed.
In some cases, version information on the software components used can also be obtained in this way. In the next step, these are checked against an open source database for known vulnerabilities. It is also checked whether the software components are still supported by the manufacturer or are already end of life.
In principle, all of this information is public, but binsec.tools combines it into one free pentest tool.
SSLCheck: The SSLCheck module will show the available SSL/TLS protocols, ciphers and additional certificate information. The scan will run multiple SSL/TLS connections to the target domain.
WebCompScan: WebCompScan will browse to the given URL and will try to find used technologies by different methods on the available information like DOM, headers and many more. This scan is not invasive as it will only browse the website once like any other browser.
DNSCheck: The DNSCheck will perform security and validation checks on the given DNS domain. This check is not invasive and will perform standard DNS lookups.
The IEC 81001-5-1 defines requirements for the life cycle of the development and maintenance regarding healthcare applications and information technology within medical devices. To achieve this, the standard sets requirements for various processes in the life cycle of a medical device and is primarily divided into the following requirement categories.
Quality management
Software Development Process
Software Maintenance Process
Security Risk Management Process
Software Configuration Management Process
Software problem resolution Process
Within the software development process there is the requirement for software system testing, which is divided into security requirement testing, threat mitigation testing, vulnerability testing and penetration testing.
The manufacturer must commission a penetration test to identify security vulnerabilities in the software (health application or medical device). IEC 81001-5-1 requires that penetration testing attempts to compromise confidentiality, integrity and availability. This may involve bypassing several lines of defense in the design by using tools and, in particular, manual skills of the penetration tester.
The standard also emphasizes that penetration testers must be independent of the development department. Since very few medical device manufacturers have their own penetration testing department, a company specializing in this usually has to be commissioned.
In Annex I, for “devices that incorporate electronic programmable systems and software that are devices in themselves”, the MDR requires verification and validation under point 17.2 that the product or software was developed according to the state of the art – from the perspective of the IT security:
For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.
REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017
In the Medical Device Coordination Group Document “MDCG 2019-16 Guidance on Cybersecurity for medical devices” there is now the requirement of penetration testing as a specification of the previous verification and validation requirement:
MDR Annex I Section 17.2 and IVDR Annex I Section 16.2 require for devices that incorporate software or for software that are devices in themselves, that the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including information security, verification and validation. The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be one by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.
Medical Device Coordination Group Document, MDCG 2019-16
Participating in the Microsoft 365 Certification App Compliance Program for Microsoft Teams applications, Sharepoint Apps/Add-ins, Office Add-ins and WebApps requires performing a penetration test. In the Initial Document Submission a company needs to submit supporting documentation and evidence. Besides other topics, a Penetration Testing Report is required. A penetration testing report completed within the last 12 months. This report must include the pentest of the live environment that supports the deployment of the app along with any additional environment that supports the operation of the app. If segmentation controls are in place, these must also be validated.
The pentest requirements by Microsoft are:
Every 12 months application and infrastructure pentesting must take place annually.
These Tests are conducted by a reputable independent company.
Remediation of identified critical and high-risk vulnerabilities must be completed within one month after the pentest report.
The full external attack surface (IP Addresses, URLs, API Endpoints, etc.) must be included within the scope of penetration testing and must be documented within the penetration testing report.
Web application penetration testing must include all typical vulnerability classes; for example, the most current OWASP Top 10 or SANS Top 25 CWE.
Retesting of identified vulnerabilities by the penetration testing company is not required — remediation and self-review is sufficient however, adequate evidence to demonstrate sufficient remediation must be provided during the assessment. Retesting of identified vulnerabilities are nevertheless best practice in information security.
Penetration testing reports will be reviewed to ensure there are no vulnerabilities that meet the following automatic failure criteria:
Unsupported operating system
Default, enumerable, or guessable administrative accounts.
Actually it should have been called BETTER PENTESTING – NO BULLSHIT, considering the advertising and sales promises of many pentesting providers. Somewhat less brutal it became BETTER PENTESTING – NO NONSENSE as the new advertising slogan for pentesting of binsec GmbH.
How to come up with all the bullshit – sorry nonsense – of many other pentesting service providers? Here is a little Best of Nonsense:
Advertisement: “We find all vulnerabilities!”
Statement: “We perform penetration tests with Nessus.”
A pentest is sold and as a report the customer receives an Excel file with about 10 lines of content.
Certifications of our pentester: CISSP, CEH…”
You don’t have staff for it, but you put the service Penetration Testing on the website. Typical IT system house or data privacy company.
Penetration testing depth: vulnerability scan
One does not get high in Google ranking and buys pentest backlinks at zdnet ( ~1.000€) or has “Pentest Frankfurt” advertised as a service in forums.
Company buy Google Ads with the keyword “blackhole pentest”.
One sells the days simply double or triple. In this way, employees can also achieve 250% target fulfillment for their own bonus.
Today I received a very nice mail from Gloria with Enterprise Security Magazine Europe, telling me that binsec is recognized as one of the top Cyber Security Solution Providers.
Hi Patrick,
I am Gloria Lam with Enterprise Security Magazine Europe.
I am excited to inform you that our magazine’s evaluation panel has shortlisted binsec to feature as one of the ‘Top 10 Cyber Security Solution Providers in Europe 2022’ in our upcoming 2nd annual edition of ‘Cyber Security 2022’.
We want to feature binsec and bring out your specialization with a client-centric profile. binsec ‘s recognition feature published in this edition will depict your organization as a leader in the Cyber Security space and thus generate potential prospects while helping you convert existing prospects to clients. Our team has received positive feedback from our clients that the recognition profile has helped them convert their prospects to clients, and I’m sure you will see similar results.
At 3,000 Euros, you will receive a full-page exclusive interview-based profile. We will feature an HTML page of the profile on our website with a backlink to your website. Most importantly, you will acquire unlimited print and digital rights for the recognition profile, Logo, and Certificate of Honor. Upon your confirmation, we will schedule a telephonic interview with binsec ‘s CEO/Senior Management for us to move ahead.
Concerning the magazine, Enterprise Security Magazine Europe is a print and digital magazine with over 99,900 qualified subscribers across Europe. It provides a comprehensive platform for senior-level industry experts and decision-makers to share their insights following a unique learn-from-peers approach. This special edition will reach out to C-level decision-makers such as CISOs, Directors of Cyber Security, and Heads of Audit for Information security and privacy, to name a few, who are our subscriber base.
Patrick, we have worked with Industry leaders such as Ramy Houssaini (Chief Cyber & Technology Risk Officer & Group Privacy Officer at BNP Paribas); Steve Williamson (Audit Account Director, Information Security, and Data Privacy at GSK); Cedric Gourio (Group Chief Security Officer at Worldline), to name a few. Similarly, this year, we will have articles from such specialists. It will be an excellent platform for binsec to be highlighted along with them.
E-Mail from Glorian with Enterprise Security Magazine Europe, 19th of October 2022
Great, just 3,000 Euros for being listed and getting a backlink. Isn’t that a good offer?
