In a world where security and efficiency must go hand in hand, our recent project with HanseMerkur Krankenversicherung AG shows how crucial good organization and clear communication are to the success of a pentest project. Despite a tight timeframe and the challenge of analyzing numerous assets between their respective release periods, we managed to test the security of the most important applications.
Digitalization in the insurance industry
The security of information is a top priority in the insurance industry. This results not only from legal requirements such as VAIT or ISO standards, but also from the profound obligation to the insured parties. This is because both confidential company and customer data is processed.
HanseMerkur fully lives up to this responsibility. The Hamburg-based personal insurer has its roots in health insurance, which is still the company's main line of business today. In addition, HanseMerkur is one of the market leaders in tourism insurance in the travel and leisure segment.
HanseMerkur's product range is rounded off by risk and pension products, property and accident insurance and pet insurance.
HanseMerkur offers its customers a comprehensive online service. With innovative web applications such as telemedical services and a service app, the convenience for its customers is constantly being increased. Applications such as these also process sensitive information and documents, meaning that a successful attack could potentially cause major damage. This is why HanseMerkur takes numerous security measures, including having its systems and websites regularly tested by penetration tests.
Proper organization goes a long way
Regular routine pentests of their applications are therefore a matter of course for HanseMerkur's security team. In May 2024, all of the most important assets were to undergo rigorous testing.
Jens Dykow approached the contract partner usd with the project goal: pentests for a large number of publicly accessible services, including various front-end and back-end systems from different areas of operation. Project period: 4 weeks. During this time, both release periods and various other organizational measures had to be taken into account.
"While these types of customer requirements are our daily business in pentest service management, this particular project was an exciting one. We were essentially playing Tetris. Our advantage: we have a large team of very well-trained analysts. By scheduling 11 different pentesters and creating a sophisticated pentest plan, we managed to get the pentests started at short notice and on HanseMerkur's desired date."
Caroline Trusheim, Team Lead Pentest Service Management, usd HeroLab
The team of analysts led by Robin Plugge and dedicated contact persons on the client's side started the first pentests at the beginning of May. The common goal was clear: to identify potential technical risks in order to further secure the infrastructure.
Communication is key
Flawless project planning was important in order to reconcile both agile release periods for the assets and complete test coverage. Communication between the analysts and contact persons at HanseMerkur was also excellent.
"This project is proof that with proper planning and the right resources, even the most complex pentest projects can be mastered efficiently. Often little things like missing activations or pieces information hold up a project. We would like to express our thanks to the HanseMerkur project team for their good preparatory work and excellent support. When we had questions for our project contacts, the communication channels were open within minutes and we had an answer. We were also always aware of the planned release schedules or other restrictions. This ensured that the project ran smoothly for everyone, making our collaboration on it a particularly fun experience."
Robin Plugge, Senior Analyst and Project Lead, usd HeroLab
"In order to safeguard the work of HanseMerkur's IT security teams, we subject our internal and external systems to regular pentests at all levels, relying on rotating external experts to uncover any potential blind spots. We are particularly impressed by our collaboration with usd AG, whose uncomplicated, flexible approach, high level of expertise and comprehensive consulting services are a very good fit for our teams. The direct exchange at eye level between the analysts and our developers and IT specialists is particularly important to us. I can therefore only return the compliment on the cooperation on behalf of the other participants."
Jens Dykow, IT Development Services and Components, HanseMerkur Krankenversicherung AG
About HanseMerkur
With an annual turnover of EUR 2.7 billion (2023), HanseMerkur is the only independent and group-independent insurance group in the Hamburg financial center. The roots of the 149-year-old personal insurer lie in health insurance, which is still the company's main line of business today. HanseMerkur also specializes in private supplementary cover for people with statutory health insurance and, with 1.3 million supplementary policyholders (2023), is one of the largest German providers in this segment. In addition, with premium income of EUR 291.9 million (2023) in the travel and leisure segment, it is one of the market leaders in the tourism insurance industry. Further information can be found at www.hansemerkur.de
