Tobias Glemser, secuvera: “one of the major risks is that anyone is able to publish or sell software without any criteria”
With businesses increasingly shifting online and new cyberthreats constantly emerging, ensuring a system’s security is more crucial than ever.
Businesses that don’t have cybersecurity as their primary focus often fail to recognize the necessity of securing their internal systems and perimeter. And when threats or auditors come knocking on their door, commercial antimalware and device security software can’t help them anymore.
Penetration testing is one of the solutions that can help any organization improve their cybersecurity. Cybernews reached out to Tobias Glemser, the Chief Executive Officer and BSI-certified Penetration Tester at secuvera, a German Cybersecurity Service Provider, to talk about the importance of quality pentesting and the newest threats that people should be prepared to deal with.
You have been in the industry for more than three decades. What has the journey been like for secuvera?
We started 40 years ago as a vendor-independent consultancy for telecommunication systems. In 1988, we did our first IT-Security research for the German Federal Office for Information Security (BSI). In 1992, we were accredited as the very first Evaluation Facility by the BSI. Since the early 90s, we have supported our clients in establishing sustainable Information Security Management Systems (ISMS) based on standards like ISO 27001 and the German BSI-Grundschutz. In 2000, we completed our Information Security portfolio by offering high-quality penetration testing. In 2015, we started with consulting services for Industry 4.0 Security based in IEC 62443.
Today, all of our three divisions are either accredited or certified as Evaluation Facility or Cybersecurity Service Provider by the German government.
Can you tell us a little bit about what you do? What issues do you mostly focus on?
Regarding penetration testing: Of course, most of our project days are used for application-based penetration testing. The vast majority of our penetration tests focus on web application penetration testing according to the OWASP testing guide. We developed a really efficient, risk-based approach to penetration testing against web apps.
One of the biggest trends in the market today is Red Teaming. Red Teaming is a high-risk approach desperately trying to simulate “real” cyberattacks. From our experience, few companies are mature enough regarding their cybersecurity protection to evaluate the risk of Red Teaming to properly benefit from a Red Team Assessment.
Therefore, we developed a new methodology called WBRT – White Box Red Teaming, combining the best of Red Teaming and penetration testing. This unique approach is risk-free and brings up results a penetration test would fail to deliver.
With so many years in the business, what are some of the cases you have worked on that stick out the most or presented the most challenges?
Naturally, we are not allowed to refer to project details in public. The most challenging penetration tests are those where the technology to be tested makes it impossible to follow any testing standards. For example, we tested civil drones, 5G networks, public transportation systems, radar networks, and many other “unusual” targets.
In our other areas, we evaluated the Zoom client according to the international Standard Common Criteria. Finally, Zoom has been certified by the German BSI in December 2021.
How do you think the pandemic affected your industry?
Hopefully, our clients will accept remote testing in the future as well. We developed a “Pentesting Box” allowing local testing through a secure connection remotely. The Box has many advantages compared to “real” on-site testing. Besides the ease of finding appointments, we reduce travel time, costs, and the CO² footprint. We are certified as CO² neutral, and sustainability is our core value as a company.
What cyber threats do you think the general public should be ready to tackle in the upcoming years?
Of course, ransomware is here to stay for the next few years. We should work hard to analyze and inform more about the initial attack vectors like the fact that most users are able to execute programs. Most environments fail in having software whitelisting.
One of the major risks at the moment is that anyone is able to publish and/or sell software without any criteria. We need reliable tests and certification services being mandatory at least for basic requirements. In Germany, the BSI started the “IT-Sicherheitskennzeichen”, a basic cybersecurity label. While it’s no more than a self-disclosure for companies, it’s a starting point.
This is why I am convinced every software vendor should now start to take cybersecurity very seriously.
Why do you think certain companies fail to recognize the necessity of regular penetration tests?
Like quality, security is a non-functional requirement. Therefore, it’s hard to measure and often not a market requirement. In some areas, we already have a market or regulatory requirements for Penetration Tests. We measure a huge difference between regulated markets and unregulated markets, analyzing the cybersecurity resilience of products.
Most companies still lack roles for cybersecurity like a Cyber Security Officer. This results in a non-critical need for cybersecurity and its subtask – penetration testing.
To be crystal clear: Penetration Tests are generally not a good starting point for a Cybersecurity Program. There are broader approaches for a 360-degree view on Cyber.
Additionally, what are the main problems that can arise if this safety practice is not conducted regularly?
First of all, every organization has to establish an Information Security Management System or at least a Cyber Security Maturity Model like the “Cybersecurity Check”, a standard in Germany. One of the tasks within an ISMS normally consists of penetration tests. The need for pentesting and its scoping is highly dependent on the customer’s risks and needs. Ultimately, the lack of penetration testing leads to blind spots being undetected by the organization but exploited by “real world” attackers.
Since work from home is the new normal these days, what cybersecurity solutions do you consider essential for remote teams?
The basics, such as securely encrypted hard drives, dedicated systems (PC, laptop), and VPN connection with secure authentication mechanisms. Most companies fail to implement even two out of the three. In cybersecurity, there is no one-stop solution that fits all needs of everyone. The perfect solution for organizations has to be chosen carefully.
Share with us, what does the future hold for secuvera?
We will follow our strategy of sustainability in four areas: our consultancy services, our employees, the environment, and our economic activity. All of our evolution rises from this core value.
One of the substantive goals is to support the software development lifecycle of our customers by coaching their development teams. For our Industry 4.0 customers, we are already offering an SDL Workshop covering IEC 62443. For all development teams, we have an SDL Workshop based on OWASP SAMM, which is a perfect toolbox enabling teams for the “shift left” paradigm. All of our workshops are lean, focused, and highly intense. We believe the solution for resilient Software lies in a strengthened SDL and not conducting the one and only Penetration Test at the end of a project.
We will continue developing standards in ISO and DIN norming groups. We want to help in developing high-quality but pragmatic testing procedures for robust and cyber secure Software and Hardware.