Security Assessment at All Levels: Pentest and Cloud Security Audit at Deutsche Fiskal

1. December 2023

The need for a pentest is often driven by compliance requirements. However, in many cases, a pentest alone is not enough to make a reliable statement about the security level in the company. Especially when applications are hosted in the cloud, additional attack vectors must be taken into account. DF therefore commissioned usd AG to carry out a cloud security audit of its cloud infrastructure in addition to a pentest of its application. The usd AG team of experts analyzed the configuration of the Azure cloud services and the applications running on them.

As a nationwide provider of cloud-based solutions, Berlin-based Deutsche Fiskal, together with its partner D-Trust GmbH, a company of the Bundesdruckerei Group, provides a comprehensive range of solutions for implementing the legal requirements for POS systems. Deutsche Fiskal consistently relies on cloud computing as a modern technological platform for the implementation of its solutions.

"As a provider of cloud solutions, Deutsche Fiskal processes a very high volume of transactions, which can reach very high peaks, especially at the end of the year," explains Jan Dau, Managing Director of Deutsche Fiskal. "The cloud offers an ideal solution here with its flexible scalability and high availability. Ensuring the best possible level of security for our customers is our top priority. Together with usd AG, we therefore decided at an early stage to have our cloud configuration thoroughly tested in addition to the penetration test. We would like to thank them for their pleasant and competent cooperation."

As the basis for its process model, usd AG has developed a special test procedure that meets the highest security standards. The experts are guided by the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the recommendations of the German Federal Office for Information Security (BSI) and the guidelines of the Open Web Application Security Project (OWASP). The best practices of leading cloud service providers and the benchmarks of the renowned Center for Internet Security (CIS) are also taken into account. By cleverly combining these requirements, the process model ensures a holistic view of the security level and a sustainable increase in security for the tested systems.

Dustin Born, usd Consultant IT Security at usd AG, oversaw the penetration test for Deutsche Fiskal: "The cloud offers its users a wide range of functions and a high degree of flexibility - however, the security-related risks involved are often underestimated. Even if the underlying cloud infrastructure is secure, vulnerabilities can occur that can be exploited by attackers to compromise the organization’s infrastructure. With the help of our cloud pentest, we were happy to support Deutsche Fiskal in preventing such gateways from arising in the first place."

"By carrying out a technical security analysis in the form of pentests and a configuration audit, Deutsche Fiskal has taken exactly the right steps to achieve a higher level of IT security," adds Dr. Kai Schubert, Managing Security Consultant at usd AG. "Companies often focus on checking their application and neglect the configuration of the cloud services themselves. However, Deutsche Fiskal has recognized that a thorough review of the configuration of cloud services as part of a security audit is essential and that the combination with a penetration test is crucial for a strong level of security. Together, the results of the pentest and audit provide a much more comprehensive and reliable statement about the security level of a cloud-based environment than separate security analyses. We would like to thank everyone involved in the Deutsche Fiskal project and look forward to continuing our partnership."

About Deutsche Fiskal

DF Deutsche Fiskal GmbH is a wholly owned subsidiary of GK Software SE and thus benefits from the many years of experience of the leading international provider of branch solutions, the economic and technological strength and the experience of the parent company from numerous fiscalizations worldwide. In the partnership, Deutsche Fiskal is responsible for developing the cloud solution. Bundesdruckerei provides the necessary technical security equipment (TSE), its hosting and the security infrastructure.

Further information can be found at

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...