The following employee interview with Dr. Max Hettrich allows a look behind the scenes of SRC. We at SRC always have an open ear for our employees and are happy that we were able to ask Max about his career and his work at SRC.
Hey, Max, let’s just start right away. What education do you have?
I’m a physicist. After my studies I first worked in academic research, namely in experimental quantum optics. It was all about lasers, vacuum chambers, and quantum physics. But also computer simulations and digital measurement technology. The IT topic has always been there, even if not in the first place.
How did you become aware of SRC and the job advertisement and why did you apply to SRC?
I became aware of SRC through a colleague at that time, who again knew an employee at SRC. After I learned that physicists are very welcome at SRC and that I have always been interested in IT security topics, my curiosity was aroused.
How long have you been with SRC?
I joined SRC in July 2017, less than a year ago.
How did your training go?
Very carefully considered and structured. Those responsible have really thought carefully about the projects to be considered. I always had enough freedom to find out which topics I liked most.
Which topics are you currently working on?
On the one hand, I deal with many compliance issues in the IT security environment, and on the other hand with reverse engineering of software for mobile devices in order to assess their security against various attack scenarios. These are two quite different subject areas, but they complement each other perfectly.
What are your main tasks and activities in your daily work routine?
Compliance projects are always about analysing a customer’s system and assessing if it meets regulatory requirements. Since no two systems are alike, it never gets boring.
The goal of reverse engineering is to understand the function of software and to extract any hidden assets without having access to the source code. This requires, for example, reading and analysing native code or debugging and instrumenting running programmes.
What does your typical working day look like? Do you travel a lot?
Mostly I work in my office in the SRC office in Wiesbaden. I am, atypical for a consulting firm, rather little on travel, since most work can be done simply best if I am in direct contact with my colleagues on site.
What do you particularly like about SRC?
I find the rather flat hierarchy particularly positive, and great freedom with regard to the selection of fields of activity.
And how do you feel about the working atmosphere at SRC?
I find the atmosphere here extremely pleasant. The fact that SRC is a rather small company with about 120 employees allows a rather informal and direct communication among each other. I believe that many conflicts do not arise as a result.
Keyword Work-Life-Balance: How can work at SRC be reconciled with your private life?
This really works out great! Our working hours at SRC are flexible, overtime hours are always logged and can be compensated later.
What do you think applicants need to bring with them in order to be successful at SRC?
I think the most important thing is a pronounced analytical thinking, and strong self-initiative. If you already have experience in one of SRC’s fields of activity, the better. But my impression is that generalists are also welcome at the SRC. You then have the opportunity to acquire the necessary specialist knowledge on more closely defined topics as required.
One last question: What would you suggest to potential applicants?
Don’t be shy! You can easily find out whether you like SRC’s fields of activity if you have a look at our website and our career portal. If this is the case: Just send us your application!
NextGenPSD2 certification | SRC launches audits for XS2A
Are you ready to certify your NextGenPSD2 implementation?
The revised Payment Services Directive (PSD2) requires banks to allow authorized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innovative payment initiation and account information services. The NextGenPSD2 certification promotes the implementation of a uniform standard.
Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmonized solution for implementing the PSD2 requirements for the XS2A interface.
The correct implementation of the XS2A interface relieves the institute from implementing a fallback interface solution. The NextGenPSD2 Implementation Support Program (NISP) offers the participants a testing framework with test concept, test case catalog, compliance best practices and test tool requirements. The implementing institute evaluates its own work. As a result, the implementation is completed. It remains to be seen if this self-assessment will be considered sufficient by the supervisory authority (NCA).
Why should you undergo the NextGenPSD2 certification?
The self-assessment of the NextGenPSD2 implementation already offers a high level of quality. However, different interpretations of the specification can lead to interoperability problems. There is currently no documented agreement between banks and third-party providers on the exact implementation of the XS2A interface. This increases the probability that the responsible supervisory authority of the banks will refuse the exemption from the implementation of a fallback interface solution.
SRC has extensive and detailed expertise from its involvement in the specification and implementation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certification for you.
How does the NextGenPSD2 certification process work?
Requirements for the NextGenPSD2 certification are the test case catalogue, the implementation profile and the test specification of the implementing institute. SRC uses these requirements to carry out a complete functional, security and performance audit of the NextGenPSD2 implementation.
Audit Validation
During validation, the implementation is reviewed with respect to the requirements of the documentation.
Functional part
In the functional part, the test specifications are executed and the results are verified.
Non-functional part
In the non-functional part, the availability of the implementation (stress test) is determined and evaluated at relevant points.
Security test
In the security test, methods of penetration testing are used. It is evaluated if the implementation of the XS2A interface offers sufficient protection against fraud attempts on customer data and transactions.
The certification is documented in a final report. If all requirements are at least sufficiently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the implemented XS2A interface can be demonstrated to third parties and the supervisory authority. Based on the first certification, regression audits can be carried out in the future.
SRC consulting services for development optimization or for creating the test specification can be used to prepare for the NextGenPSD certification.
Why SRC?
As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep understanding of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in developing test environments with many licensed auditors for multiple functional and security evaluations according to formal certification schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.
Are you interested in NextGenPSD2 certification? Then please contact us at info@src-gmbh.de.
Certificate Course “Information Security Officer for Credit Institutions” — May 7 to 10, 2019
The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, availability, authenticity and confidentiality of data in their IT systems and processes. But secure and efficient IT is also essential for the economic success of a bank.
The new “Banking Supervision Requirements for IT” (BAIT) formulate concrete expectations. Among other things, the Federal Financial Supervisory Authority (BaFin) has issued a guideline calling for the new function of the “Information Security Officer ” to be set up. He or she controls the information security process and reports directly to the management.
In cooperation with Bank-Verlag, SRC has already successfully completed three certificate courses for the “Information Security Officer (ISB) for credit institutions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date possible for this four-day certificate course.
From 7 to 10 May 2019, you will once again have the opportunity of further training in Cologne to become an “Information Security Officer (ISB) for credit institutions”.
In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG) the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grundschutz, as well as on all legal/regulatory requirements relevant for you as an ISB. In addition, the topics IT Risks and Contingency Management as well as Business Continuity Management will be discussed.
After passing the final examination, you will receive the certificate “Information Security Officer for Credit Institutions”.
On 6 May 2019 you will also have the optional opportunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne prior to the event. This course deals with basics, terms, encryption and IT security techniques in information technology.
Associate QSA — qualifying as a QSA
SRC offers mentoring programme for future Security Evaluators
The QSA accreditation — the previous, unstructured path to becoming a highly qualified Security Evaluator
Extensive experience is required to audit environments in which payment card data is accepted and/or processed for compliance with the PCI DSS security standard. To date, there has been no standardised way of fulfilling the relevant prerequisites for admission as a PCI DSS assessor (Qualified Security Assessor, QSA) which are comprehensive professional experience, PCI DSS-specific training and testing as well as at least two other accreditations in the field of information security and IT auditing.
Associate QSA — the accompanied path to QSA
With the new Associate QSA programme of the Payment Card Industry Security Standards Council (PCI SSC), an opportunity has now been defined through which new talents with a basic level of professional experience can advance towards QSA approval.
Associate QSA will be accompanied by an experienced QSA mentor. The development and increasing audit experience of the Associate QSA are regularly reflected and documented. In this way, it is monitored and ensured that the employee has comprehensive experience in all relevant areas until he or she obtains QSA accreditation.
SRC provides training
The SRC team is known for not considering test standards as checklists to be processed, but for deriving their application from complex environments and for supporting the customer in the implementation and interpretation as practically as possible. This requires comprehensive expertise and experience in combination with a constant exchange with other experts.
SRC therefore welcomes the definition of a step-by-step procedure for the training and support of Associate QSA, which contributes to the development of an appropriate qualification. SRC has thus registered as an Associate QSA company and has already approved the first employee as an Associate QSA. In this way, the quality of the audits in the constantly changing payment transaction environments is to be guaranteed also in the future.
SRC receives accreditation for Conformity Assessment Body (KBS) according to ISO 17065
Last month, the German Accreditation Body (DAkkS) granted SRC Security Research & Consulting GmbH accreditation for its Confomity Assessment Body (KBS) according to ISO 17065.
This accreditation applies to the confomity assessment of (qualified) trust service providers who wish to have trust services qualified in accordance with the requirements of Regulation (EU) No. 910/2014 (eIDAS).
The eIDAS Regulation contains binding Europe-wide regulations in the fields of “Electronic Identification” and “Electronic Trust Services”. The Regulation creates a uniform framework for the cross-border use of electronic means of identification and trust services.
As an EU regulation, it is directly applicable law in all 28 EU member states as well as in the European Economic Area.
Chances & Risks of Smart Metering
SRC’s contribution to the Expert Roundtable on the security perspective for Smart Metering
On August 22, 2018 Dr. Deniz Ulucay and Dr. Jens Oberender, Senior Consultant at SRC, took part in the Expert Roundtable in Cologne. It was organised by eco — Verband der Internetwirtschaft and dealt with the topic “Smart Energy: Not without my Smart Meter?”
The meeting was attended by representatives of companies responsible for implementing the Energy Ordinance. Suppliers for Smart Meter Gateways were represented as well as network operators and startups, for example in the field of visualisation. In this context, Dr. Oberender made an impulse contribution. Based on the experience of the evaluation body in evaluating security modules and Smart Meter Gateways, the Senior Consultant describes opportunities and risks in Smart Metering. Using a risk-based approach, he described the previous activities of the standardisers and the business opportunities to be exploited, but also their risks.
The complete presentation can be downloaded here as PDF. If you have any further questions on this topic, please do not hesitate to contact us.
SRC Smart Energy Expert at Roundtable in Cologne
On Wednesday, 22 August 2018, an expert roundtable will take place in Cologne. Organised by eco — Verband der Internetwirtschaft, the expert roundtables are characterised above all by high expertise, multidisciplinary perspectives and high discussion intensity.
In August the motto of the event is “Smart Energy: Not without my “Smart Meter?” and among other things it will deepen the previous roundtable on the topic “Smart Home”. For many years people have been talking about smart metering, but the actual development seems to be far behind the plans and prognoses of that time. New framework conditions, new approaches and new success factors will now be discussed in the panel of experts to be held on 22 August 2018.
Dr. Jens Oberender, Senior Consultant at SRC, will discuss in an oral contribution on the thematic field “Security and perspectives of the Smart Meter” if Smart Meters and their environment can be considered as secure. Dr. Oberender draws on his many years of experience in consulting projects relating to the certification of Smart Meter Gateways.
SRC expands competencies in Cloud Security
Cloud computing sets high standards for IT security
Cloud computing and cloud security has long since become the norm, and more and more companies are outsourcing parts of their infrastructures and services to the cloud in order to be able to act more flexibly.
However, the security challenges in the cloud go beyond traditional IT security requirements. For example, it must be technically guaranteed that only authorised persons have access to the sensitive data. Special care must be taken to secure the cloud management interface. The biggest organisational challenge is the distribution of security responsibilities among several parties. This is exactly what must also be taken into account when drafting contracts and fulfilling compliance requirements.
Incorrect configuration of cloud accounts — billions of data freely accessible in the Web
A recent incident also shows how sensitive this issue is. Due to faulty configurations of Amazon Cloud Simple Storage Services (Amazon S3) storage units and web servers, a number of confidential documents ended up freely accessible to everyone on the net. These included payrolls, confidential patent applications and secret construction plans for products in the development process. According to the report of the security company “Digital Shadows”, about 1.5 billion data have landed on the net. Especially confidential data, such as internal reports, photos of department stores or data centers or lists of security holes in internal company software, can be misused by attackers for hacker attacks on the company or for theft.
SRC employees acquire Certificate of Cloud Security Knowledge
SRC accompanies its customers in these challenges with competence. For this purpose, several employees have acquired the Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance.
The CCSK is the first Cloud Security Certificate offered by the world’s leading cloud security provider, the Cloud Security Alliance. The Cloud Security Alliance is a non-profit organisation and develops — in cooperation with ENISA — the vendor-independent standard for cloud security. By acquiring the certificate, SRC employees gained the necessary breadth and depth of knowledge to implement holistic cloud security programmes to protect sensitive information according to globally recognised standards.
SRC gives lecture on JTEMS at the International Common Criteria Conference in Amsterdam
From 30 October to 1 November, the 17th International Common Criteria Conference will take place in Amsterdam. The International Common Criteria Conference is presented with the support of the Common Criteria User Forum (CCUF). The CCUF provides a voice and communication channel between the CC community and the organising committees of the Common Criteria, CCRA member organisations (national programmes) and policy makers.
SRC will also actively participate in this year’s conference. In a presentation by our expert Sven-Martin Hühne on the topic “JTEMS — a Payment Scheme Independent Framework for POI Terminal specific Security Evaluations based on Common Criteria” the JTEMS Framework is presented and the current “state of affairs” is explained. The presentation deals with the advantages of a CC-based and Payment Scheme independent evaluation and certification procedure for POI terminals. The framework is a living example of the active use of the CC method by interested parties from the private sector (German banking industry and UK Finance or Common.SECC). The possibility of embedding the JTEMS framework in current discussions of the EU Commission for a “European Security Certification Scheme” will also be discussed.
In the panel discussion “The Why and How of Using CC in Private Schemes”, Regine Quentmeier discusses these aspects from the point of view of users from the European banking industry in an exchange with representatives of other economic sectors.
SRC provides students with insight into exciting projects as part of CSCUBS 2018
Review of the 5th Computer Science Conference for University of Bonn Students
The CSCUBS 2018 took place on May 16th in the premises of the University of Bonn and was organised by PhD and MSc students with the aim of promoting research in computer science and scientific exchange among students. The participation of researchers and practitioners was also encouraged. The students also had the opportunity to submit their own contributions describing new research or development work in connection with computer science. This also included university projects, dissertations and results of other professional or leisure activities. In addition to the sponsoring companies, the students themselves gave lectures.
SRC staff provides students with insight into exciting projects
Max Hettrich of SRC also reported on the company’s fields of activity in a lecture. The focus was on payment evolving. The aim here is to put the “Girocard into the mobile phone”. What is particularly interesting here is what the security evaluation for payment cards looks like so far and what new challenges will now arise for mobile payment in the future. Reverse engineering of the applications used will play a central role in the security evaluation of smartphone-based solutions. The examiner takes on the role of an attacker and tries to find ways to compromise the payment application. This is a central building block for evaluating the effectiveness of the implemented protection mechanisms. Where in the past the SRC evaluation facility in particular evaluated the security of payment cards, in future the department for penetration testing will also contribute its expertise in the evaluation of mobile solutions.
In addition, the lecture also included more general topics, such as the fields of activity and working atmosphere of the SRC. The core business of payment cards has developed over the many years that SRC has been in existence into a multitude of other business areas. It was also discussed what makes SRC as an employer special and what qualities SRC offers.
Conclusion and impressions from the view of the SRC
“The high proportion of international students, the active participation in the event and the consistently independent organisation of the CSCUBS made a lasting impression on us,” said Jochen Schumacher of SRC. The BSI, BC Technologies and SRC accompanied the CSCUBS 2018 with presentations. We were particularly pleased that SRC’s practical contribution provided material for a productive discussion. The security of modern payment transactions is a topic that also moves students. This was demonstrated by the many meaningful discussions in the plenum and the personal exchange at SRC’s specially set up stand. CSCUBS 2018 was an extremely successful and informative event. SRC is looking forward to the new edition in 2019.
Image credit: https://twitter.com/CSCUBS_Bonn
From Quantum Physicist to Security Analyst at SRC — An Employee Interview
The following employee interview with Dr. Max Hettrich allows a look behind the scenes of SRC. We at SRC always have an open ear for our employees and are happy that we were able to ask Max about his career and his work at SRC.
Hey, Max, let’s just start right away. What education do you have?
I’m a physicist. After my studies I first worked in academic research, namely in experimental quantum optics. It was all about lasers, vacuum chambers, and quantum physics. But also computer simulations and digital measurement technology. The IT topic has always been there, even if not in the first place.
How did you become aware of SRC and the job advertisement and why did you apply to SRC?
I became aware of SRC through a colleague at that time, who again knew an employee at SRC. After I learned that physicists are very welcome at SRC and that I have always been interested in IT security topics, my curiosity was aroused.
How long have you been with SRC?
I joined SRC in July 2017, less than a year ago.
How did your training go?
Very carefully considered and structured. Those responsible have really thought carefully about the projects to be considered. I always had enough freedom to find out which topics I liked most.
Which topics are you currently working on?
On the one hand, I deal with many compliance issues in the IT security environment, and on the other hand with reverse engineering of software for mobile devices in order to assess their security against various attack scenarios. These are two quite different subject areas, but they complement each other perfectly.
What are your main tasks and activities in your daily work routine?
Compliance projects are always about analysing a customer’s system and assessing if it meets regulatory requirements. Since no two systems are alike, it never gets boring.
The goal of reverse engineering is to understand the function of software and to extract any hidden assets without having access to the source code. This requires, for example, reading and analysing native code or debugging and instrumenting running programmes.
What does your typical working day look like? Do you travel a lot?
Mostly I work in my office in the SRC office in Wiesbaden. I am, atypical for a consulting firm, rather little on travel, since most work can be done simply best if I am in direct contact with my colleagues on site.
What do you particularly like about SRC?
I find the rather flat hierarchy particularly positive, and great freedom with regard to the selection of fields of activity.
And how do you feel about the working atmosphere at SRC?
I find the atmosphere here extremely pleasant. The fact that SRC is a rather small company with about 120 employees allows a rather informal and direct communication among each other. I believe that many conflicts do not arise as a result.
Keyword Work-Life-Balance: How can work at SRC be reconciled with your private life?
This really works out great! Our working hours at SRC are flexible, overtime hours are always logged and can be compensated later.
What do you think applicants need to bring with them in order to be successful at SRC?
I think the most important thing is a pronounced analytical thinking, and strong self-initiative. If you already have experience in one of SRC’s fields of activity, the better. But my impression is that generalists are also welcome at the SRC. You then have the opportunity to acquire the necessary specialist knowledge on more closely defined topics as required.
One last question: What would you suggest to potential applicants?
Don’t be shy! You can easily find out whether you like SRC’s fields of activity if you have a look at our website and our career portal. If this is the case: Just send us your application!