+OPS-22 Managing Vulnerabilities, Incidents and Crashes - Penetration Tests
---+OPS-22.01B
---+OPS-22.02B
---+OPS-22.03B
---+OPS-22.04B
---+OPS-22.05B
---+OPS-22.06B
---+OPS-22.07B
---+OPS-22.08B
---+OPS-22.01AC
---+OPS-22.02AC
---+OPS-22.03AC
---+OPS-22.04AC
---+OPS-22.05AC
---+OPS-22.01AS
---+OPS-22.02AS
---+OPS-22.03AS

1. Übersicht

OPS-22 Managing Vulnerabilities, Incidents and Crashes - Penetration Tests

-
OPS-22.01B The cloud service provider performs penetration tests by qualified internal personnel or external penetration testers at least once a year and in case of significant changes to the cloud service in accordance with the policies for managing vulnerabilities (cf. OPS-18).

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


The qualification and competence of personnel for penetration tests can be verified based on professional certifications, e.g. as BSI-certified IS penetration tester or CREST-certified Cyber Security Professional.
OPS-22.02B Penetration tests are carried out in accordance with a documented framework for penetration tests that outlines the number and types of penetration tests to be performed and the requirements for the qualification and competence of the personnel to perform such tests. The number and types of penetration tests to be performed are determined based on a risk assessment (cf. OIS-07).

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


How many penetration tests should be performed within a year depends on factors such as the size and complexity of the provided cloud service. If penetration tests follow multi-year test plans, these should be considered when determining the number and types of penetration tests to be performed within a year.
OPS-22.03B Penetration tests target the system components relevant to the provision of the cloud service in the area of responsibility of the cloud service provider. System components to be targeted are identified in a risk assessment.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


The risk assessment should be used to identify the system components that are most critical for the provision of the cloud service or most relevant for penetration testing.

System components relevant to the provision of the cloud service in the area of responsibility of the cloud service provider can comprise such system components that are exposed at the external perimeter of the network or components accessible only from inside the network.
OPS-22.04B Penetration tests are carried out in accordance with test plans that cover all relevant system components and specify which system components are to be tested.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.05B If penetration tests follow multi-year test plans, each relevant system component is subjected to at least one penetration test within a maximum period of three years.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


System components relevant to the provision of the cloud service in the area of responsibility of the cloud service provider can comprise such system components that are exposed at the external perimeter of the network or components accessible only from inside the network.
OPS-22.06B The cloud service provider assesses the severity of identified vulnerabilities in accordance with the Common Vulnerability Scoring System (CVSS), in the latest version valid at the time of the assessment.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.07B Actions for remediation or mitigation are taken in accordance with the time frames as defined in the policies for managing vulnerabilities (cf. OPS-18).

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.08B The vulnerabilities discovered through penetration testing are subject to a root cause analysis. The root cause analysis enables an assessment of the extent to which similar vulnerabilities may be present in the cloud service.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.01AC Penetration tests are performed based on reviews of the architecture and configuration of the system components, and of the cloud service provider's source code.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.02AC The cloud service provider designs a multi-year test plan for its penetration testing activities.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.03AC The cloud service provider reviews the effectiveness of penetration tests on system components at least annually, and in case of significant changes to the cloud service.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.04AC The cloud service provider uses the threat modelling process to prioritise system components with the highest risk exposure for penetration testing by systematically analysing cloud components, services, data flows, trust boundaries and assets critical to the cloud service to enumerate potential threats, vulnerabilities, and attack vectors.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


This subcriterion is only applicable if subcriterion OPS-22.03AS is applied as well.

The risk-based scoping ensures that penetration tests focus on the areas most susceptible to security threats, improves business alignment and collaboration, and provides clear technical insight into which components require testing beyond standard risk evaluation.

For the threat modelling process, a structured threat modelling approach such as STRIDE, DREAD, PASTA, or hybrid methodologies tailored for cloud environments can be used.
OPS-22.05AC The cloud service provider correlates the possible exploits of discovered vulnerabilities with previous information security incidents to identify if the vulnerability may have been exploited before its discovery.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.
OPS-22.01AS The cloud service provider performs penetration tests at least every six months and in case of significant changes to the cloud service by independent external penetration testers in accordance with the policies for managing vulnerabilities (cf. OPS-18). The external penetration testers are engaged only if the personnel supposed to perform the test verifiably meets the cloud service provider's qualification and competence requirements. Internal personnel for penetration tests may support the external personnel.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


The qualification and competence of personnel for penetration tests can be verified based on professional certifications, e.g. as BSI-certified IS penetration tester or CREST-certified Cyber Security Professional.
OPS-22.02AS Pre-launch and post-launch penetration tests are performed in accordance with a documented framework for penetration tests that outlines the number and types of penetration tests to be performed and the requirements for the qualification and competence of the personnel to perform such tests. The number and types of penetration tests to be performed are determined based on a risk assessment (cf. OIS-07).

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


How many penetration tests should be performed within a year depends on factors such as the size and complexity of the provided cloud service. If penetration tests follow multi-year test plans, these should be considered when determining the number and types of penetration tests to be performed within a year.
OPS-22.03AS Penetration tests target system components relevant to the provision of the cloud service in the area of responsibility of the cloud service provider. System components to be targeted are identified in a risk assessment incorporating, where applicable, threat modelling.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.


The risk assessment should be used to identify the system components that are most critical for the provision of the cloud service or most relevant for penetration testing.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum