Service: Security Engineering

Our policies for secure software designs and implementations help you to avoid security vulnerabilities and to initiate appropriate technical and organizational security measures in all phases of development and operation.

360° security engineering for your IT security concept

In security engineering, our experts of Fraunhofer IESE offer comprehensive service in the area of IT security. We have extensive experience in a variety of project constellations. Our competencies are subdivided into the following areas:

  • Auditing and evaluation of IT security, including network penetration tests
  • Software security assessment and compliance checks
  • Support through solutions for (automatic) document classification
  • Mediation between business, usability, and security

Auditing and evaluation of IT security including network penetration tests

We have been performing IT security checks within the Fraunhofer-Gesellschaft since 2002 and provide consulting regarding its IT security coordination. Checks are performed for Fraunhofer institutes as well as for central services of the Fraunhofer-Gesellschaft. Our security engineering and the regular checks are continuously developed further and are based on the ISO 27000 series. The current checking catalog includes, among other things, the Internet connection concept with perimeter router and firewall, the communication services and the core network services, the network, virtualization, data storage and data backup, client security and mobile devices, and physical security.

In addition to these things, we perform network penetration tests. For this purpose, we have built a professional tool suite for scanning networks and services (read team activities). In addition to the identification of weak points, it also includes suggestions for suitable countermeasures and the hardening of systems and services. We also have project experience in the area of “WebExploits”, the use of special search engines (Shodan, PunkSpider), and checks regarding the use of SSL/TLS (incl. X.509v2 certificates).

Software security assessment and compliance checks

In the area of security assessment and compliance checks, we assess products and components in terms of their compliance with standards and their fulfillment of security requirements. This includes, for example, the fulfillment of domain-specific security standards such as 21 CFR Part 11 or proof of sufficient resistance against IT security threats, as well as adherence to best practices of IT security and avoidance of known vulnerabilities.

In addition, we perform threat analyses on behalf of our customers and support them in the elicitation of security requirements. For this purpose, we provide a structured and systematic method for the elicitation of IT security requirements and accompany the process.

We also assess technologies for specific application contexts (e.g., use in Cloud environments) and support risk assessment

Support through solutions for (automatic) document classification

Data and documents (customer data, IP, personal data, etc.) must be adequately protected. To do so, they must be classified so that the correct security measures can take effect. Classification rules are determined through internal requirements (e.g., ISMS, corporate specifications, organizational rules and regulations) as well as through external requirements (e.g., laws).

We offer tool support for the classification of your documents with the MYDATA plugins for Microsoft Office. Our components support you in classifying documents in accordance with your corporate guidelines and automate adherence to the specified measures. Our MYDATA plugins support Microsoft Word, Excel, PowerPoint, and Outlook.

Finding solution alternatives with our mediators for business, usability, and security

The goal of carrying out professional security engineering and establishing an IT security concept faces not only technical challenges. In practice, conflicts between security and (the optimization of) business processes are common. The reason for this is that not all functions desired by a business or a user can be easily implemented, due to security concerns or issues. For example, comprehensive data elicitation to optimize processes makes sense, but may jeopardize the privacy of employees or users.

Our experts mediate in this area of potential conflicts. To do so, they elicit requirements and concerns from both sides. They develop solution alternatives as a transparent basis for decision-making and mediate between the parties. We have comprehensive competencies, for instance in the areas of User Experience and Security, from more than 15 years of working in joint projects.

Projects and References

  • Security and Conformity Checks at Testo AG
  • Secure Software Engineering for Embedded Systems with John Deere
  • Conformity Evaluation at Roche Diagnostics
  • Auditing of IT Security and Consulting for Fraunhofer-Gesellschaft 

You may also be interested in: