07.11.2024
09:55 - 10:40 Uhr

Vortrag
Automation & Tools

Congress Center B

Prof. Dr. Jan Jürjens
Fraunhofer ISST & Uni Koblenz

Security Testing for Compliance: The case of DORA

The presentation shows how security testing can be carried out in such a way that the requirements of relevant regulations are met. This will be illustrated using the example of the EU regulation ‘Digital Operations Resiliency Act (DORA)’, which aims to strengthen the resilience, reliability and continuity of financial services in the EU and must be implemented in the financial sector by 17 January 2025.

This regulation imposes new requirements on service providers (and third-party providers of their critical services) to prevent, mitigate and reduce the impact of disruptions to digital operational services provided by financial organisations.<


Specifically, it requires:

  • Establish an annual security testing programme (e.g. network security testing, penetration testing, web app testing, social engineering, etc.) conducted by certified and experienced internal or external auditors.
  • Conduct an Advanced Threat Led Penetration Test (TLPT) for critical infrastructures and services at least once every three years. This must be carried out by certified and experienced internal or external auditors.
  • Include third-party ICT providers of critical services in the scope of the TLPT.
  • Ensure that all issues identified through re-testing or revalidation are resolved.
  • Utilise an external threat intelligence function.
  • Provide certification reports, summaries of findings and remediation plans to the relevant authorities upon completion of the TLPT.

Practical, tool-based application examples will be used to show how these challenges can be overcome as part of a comprehensive security testing methodology.


In particular, we consider the following questions:

  • How does DORA influence the requirements and approach to IT security testing?
  • How can organisations meet DORA requirements while maintaining effective IT security testing?
  • What measures and controls are required to verify the resilience of digital operations according to DORA requirements through IT security testing ?

Prof. Dr. Jan Jürjens, Fraunhofer ISST & Uni Koblenz

Jan Jürjens is Director Research Projects at the Fraunhofer Institute for Software and Systems Engineering ISST (Dortmund) and, as Professor of Software Engineering, leads the Institute of Software Engineering and the Institute of Computer Science  at the University of Koblenz. He studied mathematics at the Universities of Bremen and Cambridge, obtained his PhD in Computer Science at the University of Oxford, worked as a Postdoc at the Technical University of Munich, and was, e.g., Professor at the Technical University of Dortmund, Royal Society Industrial Fellow at Microsoft Research (Cambridge) and non-scholarship Research Fellow at Robinson College (University of Cambridge), where he was appointed Senior Member in 2009. He is the author of the book ‘Secure Systems Development with UML’ (Springer-Verlag 2005, Chinese translation 2009) and many other publications in the field of secure software and security testing.

Further information: https://www.uni-koblenz.de/en/computer-science/ist