TR-03161 - discovered, explain
The IT security of your financial application tested in accordance with BSI TR-03174
BSI TR-03174 is aimed at manufacturers, developers, and operators of digital applications in the financial sector. It specifies binding, verifiable security requirements with the aim of ensuring a uniform and high level of security for financial apps, web applications, and backend systems.
The BSI Technical Guideline TR-03161 aims to protect the confidentiality, integrity and availability of medical data collected by digital health applications.
It was developed by the German Federal Office for Information Security (BSI) and serves as a guideline for developers of healthcare applications when creating secure solutions. It defines the minimum requirements for the IT security of mobile applications, web applications and/or background systems used in the healthcare sector.
BSI TR-03174 is aimed at manufacturers and developers of financial apps, web applications, and the associated backend systems. It also addresses banks, insurance companies, fintechs, and payment service providers that operate or offer such applications. IT service providers that supply components or interfaces in the financial sector are also part of the target group. In addition, the guideline can be used by anyone who develops or operates applications with sensitive data.
Certification according to BSI TR-03174 does not have a formal validity period of five years. A certificate issued under this certification program is only valid for the version of a product that was tested as part of the conformity assessment.
If changes or modifications are made to a certified product, new versions/configurations are created for which the issued certificate is no longer valid. If conformity with the requirements of BSI TR-03174 is also to be confirmed for the change or further development of a certified product, an application for recertification or maintenance can be submitted to the BSI.
The certificate thus documents the compliant security status at the time of testing and serves as proof for customers, partners, and supervisory authorities.
Depending on the object of the evaluation, the customer may require various additional services/information for the evaluation, including, for example
BSI TR-03174 consists of several parts that define specific requirements for applications in the financial sector:
Part 1 – Mobile applications: This part deals with security requirements for native and hybrid apps that run on mobile devices such as smartphones or tablets.
Part 2 – Web applications: This part describes requirements for web applications that are accessible via browsers and provide financial services.
Part 3 – Backend systems: This part focuses on the security requirements for server infrastructures, databases, and interfaces that provide backend services for financial applications.
Each part is tailored to the specific requirements and threat situations of the respective platform. The complete documents are available on the website of the Federal Office for Information Security (BSI).