NextGenPSD2 certification

NextGenPSD2 cer­ti­fi­ca­tion | SRC launch­es audits for XS2A

Are you ready to cer­ti­fy your NextGenPSD2 imple­men­ta­tion?

The revised Pay­ment Ser­vices Direc­tive (PSD2) requires banks to allow autho­rized third par­ties access to cus­tomer data. These third par­ty pay­ment ser­vice providers (TPP) are to be grant­ed access via a pro­gram­ming inter­face (XS2A) with the customer’s con­sent. With this data, TPPs will be able to offer inno­v­a­tive pay­ment ini­ti­a­tion and account infor­ma­tion ser­vices. The NextGenPSD2 cer­ti­fi­ca­tion pro­motes the imple­men­ta­tion of a uni­form stan­dard.

Most banks and API providers in Europe imple­ment the XS2A inter­face using the NextGenPSD2 frame­work of the Berlin Group. This is an open and Europe-wide har­mo­nized solu­tion for imple­ment­ing the PSD2 require­ments for the XS2A inter­face.

The cor­rect imple­men­ta­tion of the XS2A inter­face relieves the insti­tute from imple­ment­ing a fall­back inter­face solu­tion. The NextGenPSD2 Imple­men­ta­tion Sup­port Pro­gram (NISP) offers the par­tic­i­pants a test­ing frame­work with test con­cept, test case cat­a­log, com­pli­ance best prac­tices and test tool require­ments. The imple­ment­ing insti­tute eval­u­ates its own work. As a result, the imple­men­ta­tion is com­plet­ed. It remains to be seen if this self-assess­ment will be con­sid­ered suf­fi­cient by the super­vi­so­ry author­i­ty (NCA).

Why should you under­go the NextGenPSD2 cer­ti­fi­ca­tion?

The self-assess­ment of the NextGenPSD2 imple­men­ta­tion already offers a high lev­el of qual­i­ty. How­ev­er, dif­fer­ent inter­pre­ta­tions of the spec­i­fi­ca­tion can lead to inter­op­er­abil­i­ty prob­lems. There is cur­rent­ly no doc­u­ment­ed agree­ment between banks and third-par­ty providers on the exact imple­men­ta­tion of the XS2A inter­face. This increas­es the prob­a­bil­i­ty that the respon­si­ble super­vi­so­ry author­i­ty of the banks will refuse the exemp­tion from the imple­men­ta­tion of a fall­back inter­face solu­tion.

SRC has exten­sive and detailed exper­tise from its involve­ment in the spec­i­fi­ca­tion and imple­men­ta­tion of the XS2A inter­face as part of NISP. On this basis, we have devel­oped the NextGenPSD2 cer­ti­fi­ca­tion for you.

How does the NextGenPSD2 cer­ti­fi­ca­tion process work?

Require­ments for the NextGenPSD2 cer­ti­fi­ca­tion are the test case cat­a­logue, the imple­men­ta­tion pro­file and the test spec­i­fi­ca­tion of the imple­ment­ing insti­tute. SRC uses these require­ments to car­ry out a com­plete func­tion­al, secu­ri­ty and per­for­mance audit of the NextGenPSD2 imple­men­ta­tion.

Audit Val­i­da­tion

Dur­ing val­i­da­tion, the imple­men­ta­tion is reviewed with respect to the require­ments of the doc­u­men­ta­tion.

Func­tion­al part

In the func­tion­al part, the test spec­i­fi­ca­tions are exe­cut­ed and the results are ver­i­fied.

Non-func­tion­al part

In the non-func­tion­al part, the avail­abil­i­ty of the imple­men­ta­tion (stress test) is deter­mined and eval­u­at­ed at rel­e­vant points.

Secu­ri­ty test

In the secu­ri­ty test, meth­ods of pen­e­tra­tion test­ing are used. It is eval­u­at­ed if the imple­men­ta­tion of the XS2A inter­face offers suf­fi­cient pro­tec­tion against fraud attempts on cus­tomer data and trans­ac­tions.

The cer­ti­fi­ca­tion is doc­u­ment­ed in a final report. If all require­ments are at least suf­fi­cient­ly ful­filled, the insti­tute receives an SRC cer­tifi­cate. With this cer­tifi­cate, the con­for­mi­ty of the imple­ment­ed XS2A inter­face can be demon­strat­ed to third par­ties and the super­vi­so­ry author­i­ty. Based on the first cer­ti­fi­ca­tion, regres­sion audits can be car­ried out in the future.

SRC con­sult­ing ser­vices for devel­op­ment opti­miza­tion or for cre­at­ing the test spec­i­fi­ca­tion can be used to pre­pare for the NextGenPSD cer­ti­fi­ca­tion.

Why SRC?

As a co-edi­tor of the NextGenPSD2 Frame­work and the NISP Test­ing Frame­work, SRC has a deep under­stand­ing of the NextGenPSD2 stan­dards and all tasks asso­ci­at­ed with test­ing. In addi­tion, SRC has many years of expe­ri­ence in devel­op­ing test envi­ron­ments with many licensed audi­tors for mul­ti­ple func­tion­al and secu­ri­ty eval­u­a­tions accord­ing to for­mal cer­ti­fi­ca­tion schemes. As a result, SRC is able to car­ry out a high-qual­i­ty audit with man­age­able effort.

Are you inter­est­ed in NextGenPSD2 cer­ti­fi­ca­tion? Then please con­tact us at info@src-gmbh.de.

ISB

Cer­tifi­cate Course “Infor­ma­tion Secu­ri­ty Offi­cer for Cred­it Insti­tu­tions” — May 7 to 10, 2019

The Ger­man Bank­ing Act (KWG) and MaRisk require banks to ensure the integri­ty, avail­abil­i­ty, authen­tic­i­ty and con­fi­den­tial­i­ty of data in their IT sys­tems and process­es. But secure and effi­cient IT is also essen­tial for the eco­nom­ic suc­cess of a bank.

The new “Bank­ing Super­vi­sion Require­ments for IT” (BAIT) for­mu­late con­crete expec­ta­tions. Among oth­er things, the Fed­er­al Finan­cial Super­vi­so­ry Author­i­ty (BaFin) has issued a guide­line call­ing for the new func­tion of the “Infor­ma­tion Secu­ri­ty Offi­cer ” to be set up. He or she con­trols the infor­ma­tion secu­ri­ty process and reports direct­ly to the man­age­ment.

In coop­er­a­tion with Bank-Ver­lag, SRC has already suc­cess­ful­ly com­plet­ed three cer­tifi­cate cours­es for the “Infor­ma­tion Secu­ri­ty Offi­cer (ISB) for cred­it insti­tu­tions”. After the great response and the con­tin­u­ing demand, we are pleased that the Bank-Ver­lag has made anoth­er date pos­si­ble for this four-day cer­tifi­cate course.

From 7 to 10 May 2019, you will once again have the oppor­tu­ni­ty of fur­ther train­ing in Cologne to become an “Infor­ma­tion Secu­ri­ty Offi­cer (ISB) for cred­it insti­tu­tions”.

In a team with Hein­rich Lottmann (TARGOBANK AG & Co. KGaA) and Alexan­dros Man­akos (HSBC Trinkaus & Burkhardt AG) the SRC experts San­dro Amen­dola, Flo­ri­an Schu­mann and Ran­dolf Sker­ka will give a lec­ture on the norms and stan­dards accord­ing to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments rel­e­vant for you as an ISB. In addi­tion, the top­ics IT Risks and Con­tin­gency Man­age­ment as well as Busi­ness Con­ti­nu­ity Man­age­ment will be dis­cussed.

After pass­ing the final exam­i­na­tion, you will receive the cer­tifi­cate “Infor­ma­tion Secu­ri­ty Offi­cer for Cred­it Insti­tu­tions”.

On 6 May 2019 you will also have the option­al oppor­tu­ni­ty to acquire the basic IT knowl­edge required for the course in a one-day inten­sive sem­i­nar in Cologne pri­or to the event. This course deals with basics, terms, encryp­tion and IT secu­ri­ty tech­niques in infor­ma­tion tech­nol­o­gy.

 

 

Associate QSA

Asso­ciate QSA — qual­i­fy­ing as a QSA

SRC offers men­tor­ing pro­gramme for future Secu­ri­ty Eval­u­a­tors

The QSA accred­i­ta­tion — the pre­vi­ous, unstruc­tured path to becom­ing a high­ly qual­i­fied Secu­ri­ty Eval­u­a­tor

Exten­sive expe­ri­ence is required to audit envi­ron­ments in which pay­ment card data is accept­ed and/or processed for com­pli­ance with the PCI DSS secu­ri­ty stan­dard. To date, there has been no stan­dard­ised way of ful­fill­ing the rel­e­vant pre­req­ui­sites for admis­sion as a PCI DSS asses­sor (Qual­i­fied Secu­ri­ty Asses­sor, QSA) which are com­pre­hen­sive pro­fes­sion­al expe­ri­ence, PCI DSS-spe­cif­ic train­ing and test­ing as well as at least two oth­er accred­i­ta­tions in the field of infor­ma­tion secu­ri­ty and IT audit­ing.

Asso­ciate QSA — the accom­pa­nied path to QSA

With the new Asso­ciate QSA pro­gramme of the Pay­ment Card Indus­try Secu­ri­ty Stan­dards Coun­cil (PCI SSC), an oppor­tu­ni­ty has now been defined through which new tal­ents with a basic lev­el of pro­fes­sion­al expe­ri­ence can advance towards QSA approval.

Asso­ciate QSA will be accom­pa­nied by an expe­ri­enced QSA men­tor. The devel­op­ment and increas­ing audit expe­ri­ence of the Asso­ciate QSA are reg­u­lar­ly reflect­ed and doc­u­ment­ed. In this way, it is mon­i­tored and ensured that the employ­ee has com­pre­hen­sive expe­ri­ence in all rel­e­vant areas until he or she obtains QSA accred­i­ta­tion.

SRC pro­vides train­ing

The SRC team is known for not con­sid­er­ing test stan­dards as check­lists to be processed, but for deriv­ing their appli­ca­tion from com­plex envi­ron­ments and for sup­port­ing the cus­tomer in the imple­men­ta­tion and inter­pre­ta­tion as prac­ti­cal­ly as pos­si­ble. This requires com­pre­hen­sive exper­tise and expe­ri­ence in com­bi­na­tion with a con­stant exchange with oth­er experts.

SRC there­fore wel­comes the def­i­n­i­tion of a step-by-step pro­ce­dure for the train­ing and sup­port of Asso­ciate QSA, which con­tributes to the devel­op­ment of an appro­pri­ate qual­i­fi­ca­tion. SRC has thus reg­is­tered as an Asso­ciate QSA com­pa­ny and has already approved the first employ­ee as an Asso­ciate QSA. In this way, the qual­i­ty of the audits in the con­stant­ly chang­ing pay­ment trans­ac­tion envi­ron­ments is to be guar­an­teed also in the future.

Akkreditierung

SRC receives accred­i­ta­tion for Con­for­mi­ty Assess­ment Body (KBS) accord­ing to ISO 17065

Last month, the Ger­man Accred­i­ta­tion Body (DAkkS) grant­ed SRC Secu­ri­ty Research & Con­sult­ing GmbH accred­i­ta­tion for its Con­fomi­ty Assess­ment Body (KBS) accord­ing to ISO 17065.

This accred­i­ta­tion applies to the con­fomi­ty assess­ment of (qual­i­fied) trust ser­vice providers who wish to have trust ser­vices qual­i­fied in accor­dance with the require­ments of Reg­u­la­tion (EU) No. 910/2014 (eIDAS).

The eIDAS Reg­u­la­tion con­tains bind­ing Europe-wide reg­u­la­tions in the fields of “Elec­tron­ic Iden­ti­fi­ca­tion” and “Elec­tron­ic Trust Ser­vices”. The Reg­u­la­tion cre­ates a uni­form frame­work for the cross-bor­der use of elec­tron­ic means of iden­ti­fi­ca­tion and trust ser­vices.

As an EU reg­u­la­tion, it is direct­ly applic­a­ble law in all 28 EU mem­ber states as well as in the Euro­pean Eco­nom­ic Area.

Smart Metering

Chances & Risks of Smart Meter­ing

SRC’s con­tri­bu­tion to the Expert Round­table on the secu­ri­ty per­spec­tive for Smart Meter­ing

On August 22, 2018 Dr. Deniz Ulu­cay and Dr. Jens Oberen­der, Senior Con­sul­tant at SRC, took part in the Expert Round­table in Cologne. It was organ­ised by eco — Ver­band der Inter­netwirtschaft and dealt with the top­ic “Smart Ener­gy: Not with­out my Smart Meter?”

The meet­ing was attend­ed by rep­re­sen­ta­tives of com­pa­nies respon­si­ble for imple­ment­ing the Ener­gy Ordi­nance. Sup­pli­ers for Smart Meter Gate­ways were rep­re­sent­ed as well as net­work oper­a­tors and star­tups, for exam­ple in the field of visu­al­i­sa­tion. In this con­text, Dr. Oberen­der made an impulse con­tri­bu­tion. Based on the expe­ri­ence of the eval­u­a­tion body in eval­u­at­ing secu­ri­ty mod­ules and Smart Meter Gate­ways, the Senior Con­sul­tant describes oppor­tu­ni­ties and risks in Smart Meter­ing. Using a risk-based approach, he described the pre­vi­ous activ­i­ties of the stan­dard­is­ers and the busi­ness oppor­tu­ni­ties to be exploit­ed, but also their risks.

The com­plete pre­sen­ta­tion can be down­loaded here as PDF. If you have any fur­ther ques­tions on this top­ic, please do not hes­i­tate to con­tact us.

Smart Energy

SRC Smart Ener­gy Expert at Round­table in Cologne

On Wednes­day, 22 August 2018, an expert round­table will take place in Cologne. Organ­ised by eco — Ver­band der Inter­netwirtschaft, the expert round­ta­bles are char­ac­terised above all by high exper­tise, mul­ti­dis­ci­pli­nary per­spec­tives and high dis­cus­sion inten­si­ty.

In August the mot­to of the event is “Smart Ener­gy: Not with­out my “Smart Meter?” and among oth­er things it will deep­en the pre­vi­ous round­table on the top­ic “Smart Home”. For many years peo­ple have been talk­ing about smart meter­ing, but the actu­al devel­op­ment seems to be far behind the plans and prog­noses of that time. New frame­work con­di­tions, new approach­es and new suc­cess fac­tors will now be dis­cussed in the pan­el of experts to be held on 22 August 2018.

Dr. Jens Oberen­der, Senior Con­sul­tant at SRC, will dis­cuss in an oral con­tri­bu­tion on the the­mat­ic field “Secu­ri­ty and per­spec­tives of the Smart Meter” if Smart Meters and their envi­ron­ment can be con­sid­ered as secure. Dr. Oberen­der draws on his many years of expe­ri­ence in con­sult­ing projects relat­ing to the cer­ti­fi­ca­tion of Smart Meter Gate­ways.

Cloud Security

SRC expands com­pe­ten­cies in Cloud Secu­ri­ty

Cloud com­put­ing sets high stan­dards for IT secu­ri­ty

Cloud com­put­ing has long since become the norm, and more and more com­pa­nies are out­sourc­ing parts of their infra­struc­tures and ser­vices to the cloud in order to be able to act more flex­i­bly.

How­ev­er, the secu­ri­ty chal­lenges in the cloud go beyond tra­di­tion­al IT secu­ri­ty require­ments. For exam­ple, it must be tech­ni­cal­ly guar­an­teed that only autho­rised per­sons have access to the sen­si­tive data. Spe­cial care must be tak­en to secure the cloud man­age­ment inter­face. The biggest organ­i­sa­tion­al chal­lenge is the dis­tri­b­u­tion of secu­ri­ty respon­si­bil­i­ties among sev­er­al par­ties. This is exact­ly what must also be tak­en into account when draft­ing con­tracts and ful­fill­ing com­pli­ance require­ments.

Incor­rect con­fig­u­ra­tion of cloud accounts — bil­lions of data freely acces­si­ble in the Web

A recent inci­dent also shows how sen­si­tive this issue is. Due to faulty con­fig­u­ra­tions of Ama­zon Cloud Sim­ple Stor­age Ser­vices (Ama­zon S3) stor­age units and web servers, a num­ber of con­fi­den­tial doc­u­ments end­ed up freely acces­si­ble to every­one on the net. These includ­ed pay­rolls, con­fi­den­tial patent appli­ca­tions and secret con­struc­tion plans for prod­ucts in the devel­op­ment process. Accord­ing to the report of the secu­ri­ty com­pa­ny “Dig­i­tal Shad­ows”, about 1.5 bil­lion data have land­ed on the net. Espe­cial­ly con­fi­den­tial data, such as inter­nal reports, pho­tos of depart­ment stores or data cen­ters or lists of secu­ri­ty holes in inter­nal com­pa­ny soft­ware, can be mis­used by attack­ers for hack­er attacks on the com­pa­ny or for theft.

SRC employ­ees acquire Cer­tifi­cate of Cloud Secu­ri­ty Knowl­edge

SRC accom­pa­nies its cus­tomers in these chal­lenges with com­pe­tence. For this pur­pose, sev­er­al employ­ees have acquired the Cer­tifi­cate of Cloud Secu­ri­ty Knowl­edge (CCSK) from the Cloud Secu­ri­ty Alliance.

The CCSK is the first Cloud Secu­ri­ty Cer­tifi­cate offered by the world’s lead­ing cloud secu­ri­ty provider, the Cloud Secu­ri­ty Alliance. The Cloud Secu­ri­ty Alliance is a non-prof­it organ­i­sa­tion and devel­ops — in coop­er­a­tion with ENISA — the ven­dor-inde­pen­dent stan­dard for cloud secu­ri­ty. By acquir­ing the cer­tifi­cate, SRC employ­ees gained the nec­es­sary breadth and depth of knowl­edge to imple­ment holis­tic cloud secu­ri­ty pro­grammes to pro­tect sen­si­tive infor­ma­tion accord­ing to glob­al­ly recog­nised stan­dards.

International Common Criteria Conference

SRC gives lec­ture on JTEMS at the Inter­na­tion­al Com­mon Cri­te­ria Con­fer­ence in Ams­ter­dam

From 30 Octo­ber to 1 Novem­ber, the 17th Inter­na­tion­al Com­mon Cri­te­ria Con­fer­ence will take place in Ams­ter­dam. The Inter­na­tion­al Com­mon Cri­te­ria Con­fer­ence is pre­sent­ed with the sup­port of the Com­mon Cri­te­ria User Forum (CCUF). The CCUF pro­vides a voice and com­mu­ni­ca­tion chan­nel between the CC com­mu­ni­ty and the organ­is­ing com­mit­tees of the Com­mon Cri­te­ria, CCRA mem­ber organ­i­sa­tions (nation­al pro­grammes) and pol­i­cy mak­ers.

SRC will also active­ly par­tic­i­pate in this year’s con­fer­ence. In a pre­sen­ta­tion by our expert Sven-Mar­tin Hühne on the top­ic “JTEMS — a Pay­ment Scheme Inde­pen­dent Frame­work for POI Ter­mi­nal spe­cif­ic Secu­ri­ty Eval­u­a­tions based on Com­mon Cri­te­ria” the JTEMS Frame­work is pre­sent­ed and the cur­rent “state of affairs” is explained. The pre­sen­ta­tion deals with the advan­tages of a CC-based and Pay­ment Scheme inde­pen­dent eval­u­a­tion and cer­ti­fi­ca­tion pro­ce­dure for POI ter­mi­nals. The frame­work is a liv­ing exam­ple of the active use of the CC method by inter­est­ed par­ties from the pri­vate sec­tor (Ger­man bank­ing indus­try and UK Finance or Common.SECC). The pos­si­bil­i­ty of embed­ding the JTEMS frame­work in cur­rent dis­cus­sions of the EU Com­mis­sion for a “Euro­pean Secu­ri­ty Cer­ti­fi­ca­tion Scheme” will also be dis­cussed.

In the pan­el dis­cus­sion “The Why and How of Using CC in Pri­vate Schemes”, Regine Quent­meier dis­cuss­es these aspects from the point of view of users from the Euro­pean bank­ing indus­try in an exchange with rep­re­sen­ta­tives of oth­er eco­nom­ic sec­tors.

CSCUBS 2018

SRC pro­vides stu­dents with insight into excit­ing projects as part of CSCUBS 2018

Review of the 5th Com­put­er Sci­ence Con­fer­ence for Uni­ver­si­ty of Bonn Stu­dents

The CSCUBS 2018 took place on May 16th in the premis­es of the Uni­ver­si­ty of Bonn and was organ­ised by PhD and MSc stu­dents with the aim of pro­mot­ing research in com­put­er sci­ence and sci­en­tif­ic exchange among stu­dents. The par­tic­i­pa­tion of researchers and prac­ti­tion­ers was also encour­aged. The stu­dents also had the oppor­tu­ni­ty to sub­mit their own con­tri­bu­tions describ­ing new research or devel­op­ment work in con­nec­tion with com­put­er sci­ence. This also includ­ed uni­ver­si­ty projects, dis­ser­ta­tions and results of oth­er pro­fes­sion­al or leisure activ­i­ties. In addi­tion to the spon­sor­ing com­pa­nies, the stu­dents them­selves gave lec­tures.

SRC staff pro­vides stu­dents with insight into excit­ing projects

Max Het­trich of SRC also report­ed on the company’s fields of activ­i­ty in a lec­ture. The focus was on pay­ment evolv­ing. The aim here is to put the “Giro­card into the mobile phone”. What is par­tic­u­lar­ly inter­est­ing here is what the secu­ri­ty eval­u­a­tion for pay­ment cards looks like so far and what new chal­lenges will now arise for mobile pay­ment in the future. Reverse engi­neer­ing of the appli­ca­tions used will play a cen­tral role in the secu­ri­ty eval­u­a­tion of smart­phone-based solu­tions. The exam­in­er takes on the role of an attack­er and tries to find ways to com­pro­mise the pay­ment appli­ca­tion. This is a cen­tral build­ing block for eval­u­at­ing the effec­tive­ness of the imple­ment­ed pro­tec­tion mech­a­nisms. Where in the past the SRC eval­u­a­tion facil­i­ty in par­tic­u­lar eval­u­at­ed the secu­ri­ty of pay­ment cards, in future the depart­ment for pen­e­tra­tion test­ing will also con­tribute its exper­tise in the eval­u­a­tion of mobile solu­tions.

In addi­tion, the lec­ture also includ­ed more gen­er­al top­ics, such as the fields of activ­i­ty and work­ing atmos­phere of the SRC. The core busi­ness of pay­ment cards has devel­oped over the many years that SRC has been in exis­tence into a mul­ti­tude of oth­er busi­ness areas. It was also dis­cussed what makes SRC as an employ­er spe­cial and what qual­i­ties SRC offers.

Con­clu­sion and impres­sions from the view of the SRC

The high pro­por­tion of inter­na­tion­al stu­dents, the active par­tic­i­pa­tion in the event and the con­sis­tent­ly inde­pen­dent organ­i­sa­tion of the CSCUBS made a last­ing impres­sion on us,” said Jochen Schu­mach­er of SRC. The BSI, BC Tech­nolo­gies and SRC accom­pa­nied the CSCUBS 2018 with pre­sen­ta­tions. We were par­tic­u­lar­ly pleased that SRC’s prac­ti­cal con­tri­bu­tion pro­vid­ed mate­r­i­al for a pro­duc­tive dis­cus­sion. The secu­ri­ty of mod­ern pay­ment trans­ac­tions is a top­ic that also moves stu­dents. This was demon­strat­ed by the many mean­ing­ful dis­cus­sions in the plenum and the per­son­al exchange at SRC’s spe­cial­ly set up stand. CSCUBS 2018 was an extreme­ly suc­cess­ful and infor­ma­tive event. SRC is look­ing for­ward to the new edi­tion in 2019.

Image cred­it: https://twitter.com/CSCUBS_Bonn
Mitarbeiterinterview

From Quan­tum Physi­cist to Secu­ri­ty Ana­lyst at SRC — An Employ­ee Inter­view

The fol­low­ing inter­view with Dr. Max Het­trich allows a look behind the scenes of SRC. We at SRC always have an open ear for our employ­ees and are hap­py that we were able to ask Max about his career and his work at SRC.

Hey, Max, let’s just start right away. What edu­ca­tion do you have?

I’m a physi­cist. After my stud­ies I first worked in aca­d­e­m­ic research, name­ly in exper­i­men­tal quan­tum optics. It was all about lasers, vac­u­um cham­bers, and quan­tum physics. But also com­put­er sim­u­la­tions and dig­i­tal mea­sure­ment tech­nol­o­gy. The IT top­ic has always been there, even if not in the first place.

How did you become aware of SRC and the job adver­tise­ment and why did you apply to SRC?

I became aware of SRC through a col­league at that time, who again knew an employ­ee at SRC. After I learned that physi­cists are very wel­come at SRC and that I have always been inter­est­ed in IT secu­ri­ty top­ics, my curios­i­ty was aroused.

How long have you been with SRC?

I joined SRC in July 2017, less than a year ago.

How did your train­ing go?

Very care­ful­ly con­sid­ered and struc­tured. Those respon­si­ble have real­ly thought care­ful­ly about the projects to be con­sid­ered. I always had enough free­dom to find out which top­ics I liked most.

Which top­ics are you cur­rent­ly work­ing on?

On the one hand, I deal with many com­pli­ance issues in the IT secu­ri­ty envi­ron­ment, and on the oth­er hand with reverse engi­neer­ing of soft­ware for mobile devices in order to assess their secu­ri­ty against var­i­ous attack sce­nar­ios. These are two quite dif­fer­ent sub­ject areas, but they com­ple­ment each oth­er per­fect­ly.

What are your main tasks and activ­i­ties in your dai­ly work rou­tine?

Com­pli­ance projects are always about analysing a customer’s sys­tem and assess­ing if it meets reg­u­la­to­ry require­ments. Since no two sys­tems are alike, it nev­er gets bor­ing.

The goal of reverse engi­neer­ing is to under­stand the func­tion of soft­ware and to extract any hid­den assets with­out hav­ing access to the source code. This requires, for exam­ple, read­ing and analysing native code or debug­ging and instru­ment­ing run­ning pro­grammes.

What does your typ­i­cal work­ing day look like? Do you trav­el a lot?

Most­ly I work in my office in the SRC office in Wies­baden. I am, atyp­i­cal for a con­sult­ing firm, rather lit­tle on trav­el, since most work can be done sim­ply best if I am in direct con­tact with my col­leagues on site.

What do you par­tic­u­lar­ly like about SRC?

I find the rather flat hier­ar­chy par­tic­u­lar­ly pos­i­tive, and great free­dom with regard to the selec­tion of fields of activ­i­ty.

And how do you feel about the work­ing atmos­phere at SRC?

I find the atmos­phere here extreme­ly pleas­ant. The fact that SRC is a rather small com­pa­ny with about 120 employ­ees allows a rather infor­mal and direct com­mu­ni­ca­tion among each oth­er. I believe that many con­flicts do not arise as a result.

Key­word Work-Life-Bal­ance: How can work at SRC be rec­on­ciled with your pri­vate life?

This real­ly works out great! Our work­ing hours at SRC are flex­i­ble, over­time hours are always logged and can be com­pen­sat­ed lat­er.

What do you think appli­cants need to bring with them in order to be suc­cess­ful at SRC?

I think the most impor­tant thing is a pro­nounced ana­lyt­i­cal think­ing, and strong self-ini­tia­tive. If you already have expe­ri­ence in one of SRC’s fields of activ­i­ty, the bet­ter. But my impres­sion is that gen­er­al­ists are also wel­come at the SRC. You then have the oppor­tu­ni­ty to acquire the nec­es­sary spe­cial­ist knowl­edge on more close­ly defined top­ics as required.

One last ques­tion: What would you sug­gest to poten­tial appli­cants?

Don’t be shy! You can eas­i­ly find out whether you like SRC’s fields of activ­i­ty if you have a look at our web­site and our career por­tal. If this is the case: Just send us your appli­ca­tion!