DigiD Pentesting & Compliance
Get quality, comprehensive pentesting, carried out by expert ethical hackers. PentestHero brings DigiD compliance to the cloud with Pentest-as-a-Service .
Stay compliant with a thorough penetration test for your DigiD properties. PentestHero delivers fast, insightful testing to identify vulnerabilities in application and web security. Our Dutch team will thoroughly investigate your application against DigiD Standards Framework 2.1 to ensure full compliance with the BZK or as part of your ENSIA audit.
Do I Need a DigiD Assessment?
All organizations using the Dutch Digital Personal Identification (DigiD) are obligated to perform a yearly ICT security assessment and audit, ENSIA. A pentest is included in this obligation. You need DigiD Pentesting if you use DigiD logins for any of your web properties, applications, or infrastructure. You’re also obligated to perform a pentest at any point where you make significant changes to assets, properties, or forms impacted by DigiD.
Logius sets the DigiD security standard based on guidelines from the Ministry of the Interior and Kingdom Relations, in consultation with NOREA, the National Audit Service, and the NCSC.
What’s Included in a DigiD Pentest?
PentestHero delivers a comprehensive DigiD pentest using the Logius DigiD Standards Framework v2.1, a subset of the NCSC norms. We utilize the OWASP Testing guide and ASVS (OWASP Application Security Verification Standard) for the DigiD security assessment. This includes greybox testing with a scope set to include all assets affected by DigiD, as well as any custom forms or components integrated into DigiD.
PentestHero will help you set the scope to define assets for the pentest. We completely customize each pentest to meet the full scope of your DigiD integration, so every aspect of your site is secure and compliant. Our compliance partner, SafeHarbour will deliver a TPM statement to complete the pentest.
We make DigiD pentesting digital, with a cloud platform, automated alerts, and real-time collaboration. PentestHero delivers a DiGiD compliance solution centered around client-facing solutions, solving findings, and remaining truly compliant. Assessments are carried out from our Amsterdam-office, in conjunction with BZK standards. Developers receive real-time alerts, virtual collaboration, and reporting designed around solving issues and retesting.
DigiD pentest includes a full assessment of impacted (front-facing) infrastructure, components, and applications. Infrastructure tests take place in the production environment. Application tests take place in a test environment. Greybox testing requires us logging into your environment using DigiD.
Our cloud platform integrates DigiD frameworks, so you can automatically generate compliance reports for broader ENSIA needs. All findings are ticket-based and updated in real-time, so you can generate reports after resolving findings to ensure your audit goes as smoothly as possible.
Need a DigiD pentest in a hurry? If compliance reports are due, PentestHero has your back. Our cloud platform shortens lead times with automation, real-time communication, and a flex workforce. We can prioritize your DigiD pentest and complete it ASAP at no extra cost.
Other compliance norms?
Leverage pentest norms and frameworks to quickly launch assessments with complete oversight of what we’re testing and why. We build norms for PCI, HIPAA, ISO27001, NEN 7510, ISAE3402, and more based on official recommendations. Plus, every framework is customizable to client needs and specifications.
Your Pentest Platform
From onboarding to scheduling ongoing pentests, PentestHero is here to make your pentest processes better. We deliver full access to a cloud Security Dashboard, where you can request assessments, see findings in real-time, track findings and proof-of-concept files in one secure place, and automatically assign findings to developers. Our cloud platform is designed around helping you with findings, risk analysis, reports, and your security environment, with communication, collaboration, and actionable reports.