We carry out penetration tests for DiGa mobile applications. In the fast-track procedure for health applications (DiGa) at the BfArM, a DiGa app must be subjected to a penetration test. This penetration test must be carried out using the "Implementation Concept for Penetration Tests of the BSI" and all components must be examined for the vulnerabilities listed in the OWASP Top 10. When introducing new programming interfaces or similar, this test must be repeated. According to the legislator, the security of the data should be ensured throughout the entire application process and in all possible use cases. Thus, the scope of the pentest must not only include the actual iOS and Android app, but the pentest must also examine any underlying backend systems or APIs.
Since 2013 our certified penetration tester team conduct pentests for IT infrastructures, web applications and mobile APPs (iOS / Android) and using a structured approach based on all relevant publications. As a service provider evaluate the identified and exploited vulnerabilities based on the associated business risk and compiling it into a report that contains a summary for the IT management and the technical details of the vulnerabilities identified. After you fix the vulnerabilities, we usually perform a retest without any additional charge.
Pentests use the same tools and techniques that real attackers would use to break into a system. It includes the use of security tools and carrying out manual tests to uncover vulnerabilities. Thus is it not a automatic vulnerability assessment. On the contrary, as a service provider for penetration testing we are using the same tools and techniques that real attackers would use to break into a system. But while a real attacker only needs to find and exploit one vulnerability, a penetration tester checks all relevant attack vectors.
Having a structured approach is one of the most important factors to achive this in order to provide a professional pentesting service. Our approach is based on the OSSTMM specifications as well as the OWASP Testing Guide / OWASP Top 10 and, if requested by the client, also complies with the requirements of the PCI DSS.
Pentests are always a compromise between effort and cost. Successful pentests offer a good balance between these criteria to facilitate the testing of all relevant attacks and attack vectors. The cost of such a test always depends on the time the penetration tester spends and on the extent and complexity of the IT system or web applications. While a penetration test for a small application takes only som days, it can take several weeks for a large network or complex application.
Binding offers require prior information about the systems and applications that are to be examined. It is important that we get an initial impression of the target. For web applications, for example, test access can be helpful. Any additional information, e.g. the framework etc., can make it easier for us to draft a suitable offer for you. If you need us to pentest an IT system, we will need the corresponding network addresses in advance. In this particular case, we will first perform a non-invasive network scan to get a first look at your network. We will provide a detailed offer once we can estimate the effort required.
binsec GmbH is your security service provider for penetration testing. Get in touch with us for your "DiGa Application" pentest offer!