Search Search
Ask for Support Ask for Support Support
Status Status Status
Tests & Pentests
» .CAMPUS » Learn » Tests & Pentests
Für (noch) mehr Sicherheit

Pentests and Quality Assurance

The verinice team relies on test-driven software development to ensure the highest quality standards. Our development processes include tests for both the frontend and the backend.

An important part of our security strategy is regular penetration testing (pentests), which also includes the hosting platform. These tests are designed to identify potential vulnerabilities and fix them before they can be exploited. The results of the pentests are incorporated into our continuous improvement processes, constantly enhancing the security of our platform.

Vulnerability assessment

We emphasize the importance of responsible security testing. Therefore, we ask that tests be carried out under defined conditions – our security policy contains our guidelines for the acceptable execution of tests.

Accessibility

We also place great emphasis on usability and accessibility. In the future, we will carry out tests in these areas. verinice should be user-friendly and accessible to everyone.

Talk to us! Use the verinice forum or write to us at verinice@remove-this.sernet.de. We are happy to answer questions about our security measures.

verinice Icon Pentest

Commissioned

RedTeam Pentesting GmbH 

Period 

Test start: June 26, 2025
Final meeting: July 3, 2025

Overall assessment by RedTeam

"Overall, the entire system is characterized by a very high level of security. The vulnerabilities identified in the previous test in February 2023 have since been remedied, insofar as they were within SerNet's direct sphere of influence. Furthermore, only one vulnerability was identified in the web shop, which was due to the use of a third-party Shopware plugin for providing two-factor authentication (2FA). [...] No security-related vulnerabilities were found in verinice.veo."

Findings and responses from SerNet 

  • Shop: Two-factor authentication data is sent to third-party service providers (QR code generation via plugin)
    Risk: low
    Status: The plugin manufacturer has been informed. Adjustments are being made so that the QR code is generated without an external service (local generation).
  • Shop: Old products still accessible (can be found and ordered via sitemap, among other places)
    Risk: information only
    Status: Cleanup/adjustment of the sitemap and the affected product/purchase paths so that products that are no longer officially offered cannot be ordered unintentionally.
  • verinice.veo: Creation of any number of inactive user accounts possible via the API
    Risk: information only
    Status: The check and restriction routine has been adjusted so that the corresponding number of available users is always required to create new user accounts, regardless of whether accounts are created as active or inactive.

Commissioned

RedTeam Pentesting GmbH 

Time frame

February 2023

Overall assessment of the RedTeam

"The penetration test by verinice.veo comes to a positive result. Only very few vulnerabilities and anomalies could be uncovered. In the core system, there is only one anomaly: in the reporting area, it is possible to call up an endpoint without any authentication. However, the returned data is so general and not customer-specific that the behaviour does not pose a risk and is merely inconsistent and unexpected. All other vulnerabilities and irregularities were uncovered outside of the core system in external, connected systems. [...] 

Overall, the tested system is secure and meets the requirements for the intended use and the data that will be managed with it. The vulnerabilities and irregularities uncovered should presumably be easy to address in the short term, in order to further increase the already high level of security."

Findings and reactions of SerNet

  • Missing authorisation when accessing main user accounts
    Risk: low
    Status:  Accessing the URL now requires a registered shop account to which the subscription is assigned, so it has been fixed.
     
  • Information disclosure of user account email addresses
    Risk: low
    Status: Error messages for existing email addresses have been changed in line with the pentesters' advice.
     
  • Client-side protection against changing user names
    Risk: information only
    Status: Change to the Keycloak configuration to prevent user names from being changed.
     
  • Missing authentication for reports
    Risk: Info only
    Status: No action required. The fact that the available report templates can be queried does not pose a risk. These can be accessed in the same way via the public source code repository and are not confidential.

Commissioned

Cure53, Dr.-Ing. M. Heiderich

Time frame

December 2021

Findings by Cure53

‘’The Cure53 team achieved excellent coverage of the WP1 to WP3 area items, identifying a total of eight vulnerabilities. Of these, two were categorised as security vulnerabilities and six as general weaknesses with less potential for exploitation. None of the discovered issues are critical or high severity, with the highest severity assigned being ‘medium’. This demonstrates that the SerNet team exercises care in their web and application security processes. While the application itself is very robust, most of the issues involve HTTP headers and could allow an attacker to prepare or execute an exploit."

SerNet's response

This first penetration test was carried out against an early development version to detect problems in the security architecture at an early stage. All identified vulnerabilities were fixed, largely through configuration changing the CSP, customising the HTTP headers, etc. Removing the ‘unsafe-inline’ directive proved more complex due to the open-source components used in the web UI, which contained inline Javascript. These were ultimately also eliminated by making our own modifications.

Contact us
Contact