On May 22, 2023, Matthias Göhring, Head of usd HeroLab, gave a guest lecture on the topic of technical security analyses and pentesting at TUM as part of the lecture "Networks for Payments" with Dr. Hermann Sterzinger. The following topics were covered:
- A look at the current IT security situation in Germany and the world shows that the security of systems and applications is becoming increasingly important.
- With the help of technical security analyses, risks can be identified and subsequently reduced and eliminated.
- There are different types of technical security analyses, e.g. penetration test, red teaming, vulnerability scans. They all have advantages and disadvantages and answer different questions. Which security analysis is most suitable depends on the situation and the questions the company has to answer.
- In a pentest, short for penetration test, systems and applications are examined in a structured manner for existing vulnerabilities. In order to derive the greatest possible benefit from a pentest, it is essential to select the scope, testing approach, depth of testing and other factors.
- Assessing the quality of a pentest is anything but trivial. From the client's point of view, true negatives cannot easily be distinguished from false negatives. Therefore, when selecting a pentest service provider, one should make sure that the tests performed are also documented, not just the pure results.
To conclude, the procedure of a web application pentest was exemplarily demonstrated by identifying and exploiting an SQL injection vulnerability. Following the presentation, various questions were answered and discussed with the students.
For many years, usd AG has been involved in giving lectures, workshops and seminars at various universities in order to convey cyber security in a practical way.
"For my colleagues at usd and me, IT security is a passion that we have turned into a profession. In addition to this passion, good security analysts need a sound understanding of technical contexts and specific IT security know-how. We are therefore happy about every opportunity to share our knowledge with students and to show them perspectives of making IT security a profession."
Matthias Göhring