Sauer on Information Security | InfoSec-Blog for IT-Professionals | Patrick Sauer & Dominik Sauer – Page 3

Penetration test requirements for sports betting licences by the Darmstadt regional council

20. June 2022 by Patrick Sauer Leave a Comment

In addition to an ISO 27001 certification, regular penetration tests of sports betting portals must be carried out for the sports betting licence by the Darmstadt regional council. The pen tests must be carried out according to the OWASP Testing Guide or the OWSAP Testing Guide for web services.

The penetration tester must be independent and have the appropriate qualifications:

Degree in technical computer science or a technical degree
At least 3 years of professional experience in the field of IT security
At least 2 years of professional experience in the field of penetration testing
Certification as a penetration tester (including BSI-certified penetration tester, CPTC – Certified Penetration Testing Consultant, CPTE – Certified Penetration Testing Engineer, GPEN – GIAC Certified Penetration Tester, OSCP – Offensive Security Certified Professional or CEPT – Certified Expert Penetration Tester)

Lecture at THM: Secure Coding – SS2022 – Dates, admission and procedure

20. June 2022 by Patrick Sauer Leave a Comment

Secure coding will take place in calendar weeks 31 and 32, i.e. the first two weeks in August. In terms of concept, this lecture has always been a purely online event without any physial presence, i.e. there is no typical exam, but I evaluate the practical work.

There are three tasks:

(1) You need to write a very small REST API.

(2) You must review your own API for the OWASP Top 10 and write a very brief paper about it.

(3) You get access to a vulnerable REST API (GIT over OpenVPN) and have to identify and fix the existing vulnerabilities. You can choose between PHP, Java, Python, Perl, Go, Ruby and Node.js as the programming language. For this I use the “Secure Coding” course on binsec-academy.com as a technical resource. I will later create all user accounts there myself and binsec academy GmbH will of course provide the technical resources free of charge – I am a shareholder in the group of companies.

It has been shown again and again that participants with little or poor programming knowledge find it very difficult. So if you are at war with programming, you should better refrain from this module or plan a steep learning curve! I do not give general programming help.

I will publish tasks 1 and 2 in July so that we can work on them beforehand. For the final grades rating, I primarily use the number of identified and closed vulnerabilities in the code from the 3rd task.

I always put up a certain barrier to be admitted: you have to send me a code snippet of one of the programming languages mentioned above (by email to patrick.sauer@mnd.thm.de), which is related to one of the OWASP Top 10 and contain a vulnerabilities and gives a correct suggestion to fix it. The whole thing must be aes-encrypted via OpenSSL with the password 123456:

tar cz secure-coding-delivery-approval/ | openssl aes-256-cbc -pbkdf2 -e > first name.last name.matriculation number.secure-coding-gabe-zunahme.tar.gz.enc

to test the decryption: cat firstname.lastname.matrikelnummer.secure-coding-gabe-zulassung.tar.gz.enc | openssl aes-256-cbc -pbkdf2 -d | tar xzv

There are usually enough places, otherwise it is first come, first serve.

How much does a penetration test cost?

17. June 2022 by Patrick Sauer Leave a Comment

The costs of a penetration test depend on the time spent and the daily rate of the penetration tester.

The daily rates for penetration testers are above average and range between €1,200 and €2,000, provided it is a reputable service provider for penetration tests. Lower daily rates usually indicate that the respective provider is trying to sell a vulnerability scan rather than a penetration test. Good staff with a lot of know-how and experience cost money and this is usually reflected in the daily rates.

The number of days invested mostly depends on the complexity of the scope or the system, application or company to be tested. The more complex the attack surface, the longer the check takes.

Shorter penetration tests take 2 days, larger systems can take several weeks. Usually 5-10 days is a realistic average, with deviations up and down.

Thus, the costs often start at €2,400-3,000 for a small pentest and reach the level of around €12-16,000 relatively quickly, although there are no upper limits.

What is a penetration test?

15. June 2022 by Patrick Sauer Leave a Comment

A penetration test is basically a structured attack on a company’s IT infrastructure. During this, a penetration tester uses the same tools and techniques that a hacker uses in his attack. However, the objective differs between a malicious hacker and a professional penetration tester.

A hacker usually tries to hack a company in order to gain access to its IT systems and data. To do this, he only needs a single critical vulnerability that can successfully exploited.

However, companies that commission a penetration test do not primarily want to be successfully hacked, they want to know whether this is possible. For this purpose, a penetration tester will try to identify all vulnerabilities, regardless of their criticality. Many vulnerabilities are also attempted to be exploited, but not all. Because some further attacks pose a higher risk for the attacked IT systems.

KRITIS penetration test: requirements of the german BSI law

14. June 2022 by Patrick Sauer Leave a Comment

Penetration tests are mandatory for operators of critical infrastructures. In the BSI law under paragraph “8a Security in the information technology of critical infrastructures”, companies are obliged to take appropriate organizational and technical measures to protect their critical infrastructure.

The actual law is typically general and abstract. The wording itself does not require penetration tests for KRITIS companies to be conducted. But in the BSI publication of the controls to be carried out in order to adhere to the german law, penetrationtests are required.

Penetration testing: The company binsec GmbH is your service provider for pentests from Frankfurt am Main

10. June 2022 by Patrick Sauer Leave a Comment

binsec GmbH is a consulting company for information security from Frankfurt am Main that I co-founded in 2013. I have been the managing director of binsec GmbH since it was founded. As a service provider, we carry out penetration tests and also advise our customers in the areas of security management and IT security.

binsec GmbH is completely in the hands of the three shareholders via the binsec group GmbH: Patrick Sauer, Florian Zavatzki and Dominik Sauer. We are interested in the long-term satisfaction of our customers and employees: Short-term sales and profit maximization is not our goal.

My team consists of experienced, certified specialists. Our focus is always the security of business-critical IT systems and information. Even when we conduct penetration tests, we keep the business aspects in mind.

As a provider of penetration tests and security consulting, we have become the top address as a pentest service provider in the Frankfurt am Main area in recent years.

More information about our company and services is available at https://www.binsec.com.

MPA Content Security Program Requirements for Penetration Testing

9. June 2022 by Patrick Sauer Leave a Comment

The Content Security Program of the Motion Picture Association (MPA) specifies security requirements in three areas in its Content Security Best Practices Common Guidelines (Version 4.10 of February 8, 2022):

Management System
Physical Security
Digital Security

In the requirements for the management system, vulnerability scans and external penetration tests are to be carried out in number MS-2.1 in the risk management category. There a reference is made to the requirements DS-1.8 and DS-1.9.

The requirement DS-1.9 (Firewall / WAN / Perimeter Security) requires the implementation of annual penetration tests of all external IP addresses and systems. DS-1.8 also requires monthly vulnerability scans.

Furthermore, one also finds the requirement to carry out web application penetration tests (DS-15.9, Client Portal). Here are some more detailed requirements:

The pentest should also include any APIs.
The test should be carried out both with and without valid access data.
The typical guidelines such as the OWASP publications should be adhered to so that XSS, SQL injections, and CSRF can also be found.

It is generally recommended that penetration testing is performed by an independent third party.

Launch of binsec wiki

8. June 2022 by Patrick Sauer Leave a Comment

The binsec starts its binsec wiki. Divided into the categories “Hack & Attack” and “Defend”, articles, how-tos and best practices on technical IT security topics are published. The first wiki article published was: OpenVPN: configure 2FA

binsec wiki | powered by binsec group GmbH

i-Kfz: Requirements for penetration tests from the german Federal Motor Transport Authority (KBA)

7. June 2022 by Patrick Sauer Leave a Comment

The “minimum security requirements for decentralized portals and registration authorities” for “internet-based vehicle registration (i-Kfz)” from the german Federal Motor Transport Authority (KBA) are extremely extensive. In addition to the architecture of the i-Kfz system, its interfaces and the security requirements derived from them, they also include requirements for conducting a penetration test.

To check the effectiveness of the implemented security controls, the KBA requires the implementation of the following as a penetration test:

IS short revision (if no ISO 27001/IT basic protection certification available)
IS web check
IS penetration test

All of the above tests are to be carried out as white box tests and the personal conducting the tests need to be qualified and independent.

A non-invasive vulnerability scan (defined test depth) with manual validation of the vulnerabilities is defined as an IS web check. The OWASP Top 10 should be checked and the corresponding modules of the IS web check should be carried out: “Module 1 – Vulnerability search”, “Module 2 – Vulnerability test”, “Module 3 – Logical errors/configuration errors” and “Module 4 – Exploits (optional) “. The test is to be carried out via the Internet and the filtering of security gateways is to be deactivated.

In the IS penetration test, the technical attack surface of an institution is examined from the outside. A technical security audit in combination with a non-invasive vulnerability scan is defined as test depth. In the scope, at least all network elements, security gateways, servers, web applications, relevant clients and infrastructure facilities must be checked, if technically possible and reasonable. The following modules are to be carried out: “Module 1 – conceptual weaknesses”, “Module 2 – implementation of hardening measures”, “Module 3 – known vulnerabilities” and “Module 4 – exploits (optional)”.

It should be mentioned here that experience has shown that the required depth of testing should be designed more as a non-invasive penetration test. The use of a typical automated vulnerability scanner is not technically sufficient to fullfill the requirements.

Comparison of PCI DSS 3.2.1 and 4.0 penetration testing requirements

2. June 2022 by Patrick Sauer Leave a Comment

The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4.

These requirements are basically identical in both versions 3.2.1 and 4.0:

based on industry-accepted penetration testing approaches
coverage of entire CDE perimeter and critical systems
testing from both inside and outside the network
validation of any segmentation and scope-reducting controls
testing network-layer and application-layer
including review and consideration of threats and vulnerabilities experienced last 12 month
perform external, internal and segmentation testing every 12 month and after any significant change
service provider only needs to perform segmenation testing every 6 month

There are two topics where both standards diverge, while PCI 4.0 has the more mature version. So PCI 4.0 has a slightly different approach for its requirements on the application layer penetration test:

PCI v3.2.1 includes requirement 6.5 for application layer testing to check for:
- injection flaws (e.g. SQL, LDAP, OS Commant, XPath)
- buffer overflows
- insecure crypto storage, insecure communications
- improper error handling
- XSS
- improper access controls
- CSRF
- broken authentication and session management
- also include the current best practices (e.g. OWASP Top 10)
PCI v4.0: including requirement 6.2.4 for application layer testing to perform at least:
- injection attacks (including SQL, LDAP, XPath, command parameters, object fault or injectiontype flaws)
- attacks on data and data structures (for example manipulating buffers, input data)
- attacks on cryptography usage
- attacks on business logic including XSS and CSRF
- attacks on access control mechanisms

In PCI 4.0 the segmentation test also needs to include confirming the effectiveness of any use of isolation techniques for different security levels (see requirement 2.2.3).

Of course, the applied penetration testing approach needs to include fixing and re-testing any relevant vulnerabilities previously identified independently of the PCI standard’s version.