-
-
- external pen test carried out for web application efOnline
- effectiveness of the curing measures taken confirmed in the post-test
- SySS GmbH involved in security testing as an experienced provider
- regular checks for even more security are scheduled
-
Neu-Isenburg, August 2023 – In this day and age, for companies that want to take preventive action against possible cyber threats from outside, it is crucial to perform penetration tests (pen tests). Such tests are also important for efcom to keep our own IT security level as high as possible. Thus far, pentests for our web-based application efOnline have only been performed on the customer side. That way, hacker scenarios can be reproduced under individual IT framework conditions and are therefore highly informative. We have made the decision to conduct a pentest for efOnline also independently of the customer’s operation. The main test was initiated by us in Q1/2023. The retest in Q3/2023 confirmed that the measures taken to address the findings from the main test were effective. We commissioned SySS GmbH with the testing—one of the leading providers in this field in Germany and Europe.
“We think that a pentest for efOnline independent of the customer makes sense in order to ensure even more security”, emphasises Michael Petrovic, efOnline Product Manager at efcom. “This way, we can identify and eliminate potential weaknesses beforehand.” In light of increasing cyber attacks against companies, the so-called external pentests are highly relevant. During these tests, experts try to hack into company networks, for example, to obtain sensitive data. After performing such a security check, all identified weaknesses are summarised in a report including a risk assessment as well as recommended measures to remedy the issues.
The SySS GmbH divides the risks in high, medium, and low. High risk is, for example, classified as unauthorised manipulation of or access to data. Medium risk includes security breaches that, in combination with other—also human—components, can lead to a security incident. Low risk means weaknesses that do not allow changes by unauthenticated third parties. Based on the list of deficiencies, the audited company can then remedy the security weaknesses. During the retest, a new check is performed by SySS GmbH to review to what extent the weaknesses have actually been remedied.
“We are really well versed in pentests. However, IT security can never be ensured by purely selective measures”, explains Sebastian Schreiber, CEO of SySS GmbH. “Companies must also provide the appropriate security concepts and measures. Ultimately, it is a matter of making all those responsible aware of this issue through regular testing. Otherwise the tests cannot develop their full effectiveness.” efcom, too, plans on providing (even) more security through regular external pentests as well as fostering the relevant awareness among employees.
*Federal Office for Information Security (BSI Germany): “The State of IT Security in Germany 2022”