Penetration Test Requirements in DORA

DORA requires financial entities to conduct threat-led penetration testing of each of their applications at least once every three years. Heyhack can help financial entities comply with DORA by automating the penetration testing process, providing insights into the organization's most critical vulnerabilities, and helping to prioritize remediation efforts.
Sebastian Brandes
Sebastian Brandes

The Digital Operational Resilience Act (DORA) is a new regulation from the European Union that aims to improve the operational resilience of financial entities. DORA requires financial entities to conduct regular testing of their ICT systems and processes, including threat-led penetration testing.

Threat-led penetration testing is a type of security testing that simulates real-world cyberattacks. It is designed to identify and exploit vulnerabilities in an organization's systems and processes that could be exploited by attackers.

Chapter IV of DORA specifically addresses the requirements for threat-led penetration testing for financial entities. This blog post will discuss the following topics:

  • What is threat-led penetration testing?
  • What are the requirements for threat-led penetration testing under DORA?
  • Who are the entities targeted by DORA?
  • When must entities targeted by DORA be compliant?
  • How can Heyhack help financial entities become compliant with DORA?
What is Threat-Led Penetration Testing?

Threat-led penetration testing is a type of security testing that simulates real-world cyberattacks. It is designed to identify and exploit vulnerabilities in an organization's systems and processes that could be exploited by attackers.

Threat-led penetration testing differs from traditional penetration testing in that it is not just focused on finding vulnerabilities. It also considers the attacker's perspective and identifies vulnerabilities that an attacker would likely exploit.

To do this, threat-led penetration testers typically use a variety of sources of information, including:

  • Publicly available information about known vulnerabilities
  • Intelligence reports about the tactics, techniques, and procedures (TTPs) of known threat actors
  • The organization's security posture and known vulnerabilities

Threat-led penetration testers use this information to develop a customized attack plan that is designed to exploit the organization's most critical vulnerabilities.

What are the Requirements for Threat-Led Penetration Testing under DORA?

Chapter IV of DORA requires financial entities to conduct threat-led penetration testing of every single application developed and/or maintained by the organization at least once every three years. The testing must cover all of the financial entity's critical functions and services and be performed on live production systems.

DORA defines some requirements for penetration testers that Heyhack fully lives up to and complies with. Penetration testing solutions that live up to the DORA requirements must:

  • be of the highest suitability and reputability;
  • possess technical and organizational capabilities in penetration testing;
  • adhere to formal codes of conduct or ethical frameworks;
  • provide independent assurance concerning the sound management of risks associated with the carrying out of threat-led penetration testing;
  • be duly and fully covered by relevant professional indemnity insurance.

For a complete overview of the requirements, refer to Articles 24–27 of the Act.

Who are the Entities Targeted by DORA?

DORA applies to a wide range of financial entities, including:

  • Banks
  • Investment firms
  • Insurance companies
  • Central securities depositories
  • Payment systems
  • Securities settlement systems

Any financial entity that meets the criteria set out in DORA is required to comply with the regulation.

For a complete overview of all the entities targeted by the EU, have a look at Article 2 of the Act.

How Can Heyhack Help Financial Entities Become Compliant with DORA?

Heyhack provides an all-in-one solution for automated penetration testing of web applications and APIs. Heyhack's platform can help financial entities become compliant with DORA by:

  • Automating the threat-led penetration testing process
  • Providing insights into the most critical vulnerabilities in an organization's web app infrastructure
  • Helping to prioritize remediation efforts
  • Providing a detailed report of the findings

Heyhack's platform is easy to use and requires no specialized knowledge or skills. This makes it a cost-effective and efficient solution for financial entities that must comply with DORA. Most large financial organizations maintain between 100 and 300 applications, making it almost impossible to comply with the requirements using manual penetration testing. Heyhack can help you meet the requirements while supporting and scaling your internal pen-testing team.

Heyhack solves the five requirements for penetration testers in Article 27 of DORA by the following:

  • Heyhack has more than 20 years of experience in penetration testing and has worked with many large financial institutions on penetration test and vulnerability scanning assignments;
  • Heyhack is one of the globally leading solutions in automated penetration testing of web applications and has built one of the strongest and most comprehensive test engines to guarantee complete coverage and testing of every kind of web application;
  • Heyhack is a corporate member of the Open Worldwide Application Security Project (OWASP) and adheres to the OWASP Web Security Testing Guide, considered the best and most expansive methodology for penetration testing of web applications;
  • Heyhack is SOC 2 Type II certified by Prescient Assurance and works with Vanta to actively manage risks associated with penetration test services;
  • Heyhack is insured by Tryg Forsikring, the largest insurance company in Denmark, and maintains a liability insurance policy to cover any potential damage caused by Heyhack's automated penetration tests.

In our Trust Center, you can learn more about the specific controls we implement to ensure we comply with DORA requirements. You can also request a copy of our SOC 2 Type II report.

Conclusion

Threat-led penetration testing is a critical requirement for financial entities under DORA. By conducting regular threat-led penetration testing, financial entities can identify and mitigate vulnerabilities that attackers could exploit. This will help improve financial entities' operational resilience and protect them from cyberattacks.

Heyhack is a leading provider of automated penetration testing solutions for web applications. Heyhack's platform can help financial entities become compliant with DORA by automating the threat-led penetration testing process, providing insights into the organization's most critical vulnerabilities, and helping to prioritize remediation efforts.

If you are a financial entity that needs to comply with DORA, contact our security expert team to learn more about how our platform can help.

Start a pentest right here ⬇️

Why don't you try running a penetration test with Heyhack? Fill in the URL of your app along with your email address and initiate a test right away. 🕵️

Minimize your attack surface

Book a meeting with one of our security experts and learn how Heyhack can help you secure your web applications and services across your domains.
Put penetration testing on autopilot and immediately reduce your AppSec risk.
“Heyhack helps us gain a complete overview of the security of our application and patch vulnerabilities early.”
Søren Viuff
CPO of Openli