Why choose a product with a BSI Kitemark for Secure Digital Applications?

In a world where personal, professional, and private information flows through devices such as phones, computers, cars, doorbells, locks, and more, digital security is paramount. It's critical for software applications to undergo rigorous testing and certification against industry standards. The BSI Kitemark for Secure Digital Applications ensures your software meets the highest security benchmarks, protects sensitive data, and guarantees secure user interactions.

To earn the BSI Kitemark for Secure Digital Applications, software must undergo comprehensive third-party testing, not only during the certification process but also on an ongoing basis, to maintain security compliance. This continuous evaluation ensures the application remains secure and up to date with evolving standards against emerging threats. This commitment reflects the manufacturer’s commitment to your digital security. In addition, we assess the development processes to ensure consistent, high-quality output.

By choosing a product with the BSI Kitemark for Secure Digital Applications, you can trust that it has been meticulously vetted for digital security, adhering to best practices in safeguarding your personal, professional, and private information.

The typical standards the software is tested against include:

Please note that this is not a comprehensive overview of all standards and security testing requirements. It is intended to highlight key features of the standards, testing, and certification process.

OWASP ASVS (Application Security Verification Standard)

ASVS focuses on web applications and defines three security verification levels:

  • L1 provides a solid security foundation for all applications.
  • L2 introduces additional controls for apps handling sensitive data.
  • L3 applies to critical applications that handle highly sensitive data, high-value transactions, and require the highest level of trust.

Key areas of ASVS security requirements include:

  • Authentication: Ensures proper user identification (e.g., password strength, multi-factor authentication).
  • Session Management: Tests secure session handling, including secure cookies and session expiration.
  • Access Control: Verifies that users can access only authorized parts of the application.
  • Input Validation: Checks for vulnerabilities like SQL Injection and Cross-Site Scripting (XSS), ensuring proper handling of user inputs.
  • Cryptography: Ensures sensitive data is encrypted during storage or transmission (e.g., passwords, personal data).
  • Error Handling: Ensures errors don’t expose sensitive information.
  • Data Protection: Validates secure handling of sensitive data (e.g., personal and payment information).

OWASP MASVS (Mobile Application Security Verification Standard)

MASVS applies to mobile applications and defines two verification levels (L1, L2) and a set of reverse engineering resiliency requirements (R).

  • L1 security requirements are applicable to all apps.
  • L2 adds additional defense-in-depth controls for apps handling sensitive data.
  • R security requirements focus on client-side threats and reverse engineering resiliency.

Key MASVS security requirements include:

  • Data Storage: Ensures sensitive data stored on the device is encrypted and inaccessible to attackers.
  • Authentication and Session Management: Tests login processes, session management, and the secure handling of authentication tokens.
  • Network Communication: Ensures secure communication protocols (e.g., HTTPS) and proper encryption of data in transit.
  • Code Tampering: Verifies that protections against code modification or tampering are in place, such as code signing.
  • Reverse Engineering Protections: Tests the difficulty of decompiling the app and extracting sensitive information.
  • Platform Interaction: Ensures proper use of mobile operating system security features (e.g., secure permissions, sandboxing).

OWASP MASTG (Mobile Application Security Testing Guide)

MASTG is a testing guide used to verify that a mobile app meets MASVS requirements. It covers:

  • Static Analysis: Analyzing the app’s code without running it to find vulnerabilities.
  • Dynamic Analysis: Running the app to detect weaknesses, such as insecure data transmissions.
  • Reverse Engineering: Testing the difficulty of decompiling the app to analyze its code.
  • Penetration Testing: Simulating real-world attacks to check for exploitable vulnerabilities.
  • Common Vulnerabilities Tested

Across ASVS and MASVS, some of the most common security risks tested include:

  • SQL Injection: Ensuring attackers cannot manipulate databases through input fields.
  • Cross-Site Scripting (XSS): Protecting the app from malicious script injections.
  • Insecure Communication: Ensuring data is safely encrypted during transmission over the internet.
  • Insecure Storage: Ensuring sensitive data (passwords, personal info) is encrypted on the server or device.
  • Weak Authentication: Testing for vulnerabilities in password management, multi-factor authentication, or login processes.

What Does the BSI Kitemark for Secure Digital Applications Mean?

The BSI Kitemark for Secure Digital Applications ensures that software is trusted for its security, functionality, and reliability. It helps businesses deliver secure digital services and gives users confidence in software that handles sensitive data. Achieving the Kitemark involves rigorous testing and annual assessments to maintain security standards, ensuring consistent quality.

Recognized internationally, the BSI Kitemark enhances a company’s reputation and builds trust in its digital products.

Discover more about certification here