Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • 6-schnittstelle-zur-anbindung-von-prometheus
  • v1.1.0 protected
  • v1.0.1 protected
  • v1.0.0 protected
5 results
Blame Permalink
README-en.md 6.00 KiB
OZG Security Scanner

OpenSSF Best Practices

Contents / Quick navigation

OZG Security Challenge - Best Practice Scanner

In this repository, you will find the Best Practice Scanner, which was developed as part of the OZG Security Challenge. The Best Practice Scanner is a tool that makes it possible to check the IT security and the implementation of best practices of websites.

Background

With public administration becoming more digital, the importance of information security is growing. Citizens and companies expect the state to protect their personal information with high levels of IT security. The Federal Ministry of the Interior and Community (BMI) would therefore like to further promote the increase in IT security during the implementation of the OZG and has launched the ‘OZG Security Challenge 2023’ in cooperation with the Federal Office for Information Security (BSI). Within this scope, the ‘OZG Security Quick Test’ and the associated ‘Best Practice Scanner’ component were developed.

Features

  • Checking the degree of implementation of the following best practices/security measures (Beta):

    • Responsible Disclosure: Reporting vulnerabilities before publication
    • Transport Layer Security (TLS) 1.3: Current encryption of communication between citizens and the OZG service
    • Deactivate TLS 1.0 & 1.1: Deactivate outdated encryption
    • HTTP Strict Transport Security (HSTS): Ensure encrypted communication between citizens and the OZG service
    • Domain Name System Security Extensions (DNSSEC): Secure linking of internet address and server address
    • Resource Public Key Infrastructure (RPKI): Protection against unauthorised redirection of data traffic

  • Testing the degree of implementation of the following best practices/security measures (Alpha, the tests may be faulty):

    • Certificate Authority Authorisation (CAA)
    • Certificate Transparency Logs
    • Content Security Policy (CSP)
    • X-Content-Type-Options
    • HSTS preload
    • HTTP to HTTPS forwarding
    • IPv6 support
    • Matching of the host name in the certificate
    • No mixed content
    • Certificate has not been revoked
    • Secure session cookie
    • Use of strong cipher suites
    • Use of secure key exchange procedures (planned, not yet implemented)
    • Use of a strong private key
    • Use of strong signature procedures
    • Sub-resource integrity
    • Availability of TLS 1.2
    • Validation of the certificate
    • Validation of the certificate chain
    • X-Frame-Options
    • X-XSS protection
    • DNS-based Authentication of Named Entities (DANE)
    • DomainKeys Identified Mail (DKIM)
    • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
    • Sender Policy Framework (SPF)
    • STARTTLS
    • Availability of an English version of the website

Consent

On this website, we use the web analytics service Matomo to analyze and review the use of our website. Through the collected statistics, we can improve our offerings and make them more appealing for you. Here, you can decide whether to allow us to process your data and set corresponding cookies for these purposes, in addition to technically necessary cookies. Further information on data protection—especially regarding "cookies" and "Matomo"—can be found in our privacy policy. You can withdraw your consent at any time.