Information security

Secure software development and IT services

Secure software development and hosting are at the core of our web-based project management solution. That is why we place a high value on comprehensive information security management. Here you can find out what measures we have implemented to provide you with secure hosting services and a secure product in the form of Projektron BCS.


TÜV-certified quality – secure product Projektron BCS

Projektron GmbH places a high value on information security and has therefore implemented a comprehensive information security management system (ISMS). With the introduction of this system, we have anchored information security in the company's organizational structure and established central processes such as risk management. Our overarching goals in this regard are always the following:

  •  Confidentiality
 
  •  Integrity
 
  • Availability

A central element of our information security and quality management is our ISO 27001 certification by TÜV Rheinland. This certification confirms that our processes, systems and controls meet the strict requirements of the ISO 27001 standard. Our ISO/IEC 27001:2013 A1 certification covers not only the operation of development and IT services but also our support and IT administration. Our ISMS is regularly reviewed and adapted to respond to new threats and challenges. This guarantees that our security measures are always up to date and that your data is continuously protected.

Regular security updates and bug fixes

The regular installation of updates is one of the most important security measures that users of Projektron BCS should pay attention to. We are constantly working to identify potential security vulnerabilities and fix them immediately. Updates to our software therefore always include bug fixes and eliminated security risks. Therefore, update your BCS installation regularly to be protected against potential risks in the best possible way.
 

View the latest security-related changes

Product development

Secure software development – secure software: Information security in the development process is essential to offering a software product with Projektron BCS that provides a secure basis for your business requirements and ensures the confidentiality, integrity and availability of your information.

Our measures for secure software development

Access control and authentication

  •  

Role and rights concept

A customizable role and rights concept is a prerequisite for restricting access to data or information to authorized persons.
 
 
  •  

Single sign-on

BCS supports authentication via Active Directory (LDAP/KERBEROS) or OAuth 2.0 with OpenID Connect.
  •  

Guidelines for passwords

Projektron BCS supports guidelines for passwords regarding password complexity and frequency of changes.
 
  •  

2-factor authentication

The login can be additionally secured by a second factor generated according to the TOTP procedure.
  •  

Passkeys

BCS supports Passkeys, a password-free authentication method that replaces passwords with an asymmetric procedure, thereby increasing user-friendliness and eliminating vulnerabilities such as phishing, password theft and weak passwords.
   
 

Data security and protection mechanisms

  •  

Encrypted connections

Encrypted communication is possible for secure data transfer between Projektron BCS and users or external systems (https, imaps, smtps).
 
  •  

Password vault

Passwords needed for third-party systems can be stored cryptographically secure in a password vault.
  •  

Secure passwords

Passwords are secured in Projektron BCS with the PBKDF2 algorithm as well as salt and pepper.
 
  •  

Brute force attacks

User accounts are protected by waiting times or account lockout after multiple failed login attempts. Access to individual accounts can be restricted to certain IP addresses and IP ranges.
 

Testing and review

  •  

Vulnerability scanning

The software is regularly scanned for known security vulnerabilities.
 
  •  

Pentests

Pentests are regularly carried out in collaboration with our customers. The results of these tests are continuously incorporated into the development and protection of Projektron BCS.
  •  

Automated testing

Projektron BCS is tested for both functionality and user-friendliness. Common attack patterns can be checked automatically. Automated tests are integrated into the Continuous Integration (CI) pipeline to ensure that every change to the code is tested immediately.
 
  •  

Integration tests

We perform integration tests to ensure that different components of the software work together securely and that no new security vulnerabilities arise.
  •  

Unit testing

For each user story, we develop unit tests to verify correct functionality and security at the code level.
 
  •  

Test coverage reports

We create test coverage reports that show the coverage of user stories by the tests and ensure that no security-critical areas remain untested.
  •  

End-to-end testing

We create end-to-end tests that cover the entire user story and ensure that the application works as expected and is secure.
   
 

Internal security measures

  •  

Definition of security requirements

Security objectives and requirements are clearly defined at the beginning of the project.
 
  •  

Security planning

We follow a detailed security plan that describes security measures and procedures.
  •  

Team of experts in product development

A specialized team continuously deals with current IT security issues and implements the latest security measures in Projektron BCS. This ensures that our software always meets the highest security standards.
 
  •  

Internal guideline “Secure Software Development”

The internal guideline aims to minimize security deficits and vulnerabilities in the development of Projektron BCS and to respond appropriately to them. This is done by taking into account the SANS 25, which lists the 25 most dangerous and relevant vulnerabilities in software, as well as the OWASP Top 10, which describes the ten most widespread and important vulnerabilities for web applications.
  •  

Staff training

Our developers receive regular training and are made aware of security aspects and best practices.
 
  •  

Awareness programs

We run programs to promote security awareness throughout the development team.
  •  

Security documentation

All security requirements, measures and tests are documented in detail.
 
  •  

Reporting

We regularly report on the security status and any incidents that have occurred to relevant stakeholders.
 

Secure programming and development guidelines

  •  

Coding standards and guidelines

We adhere to proven coding standards and guidelines to avoid security vulnerabilities.
 
  •  

Code reviews and peer reviews

The code is regularly reviewed by colleagues to identify potential security issues at an early stage.
  •  

Static Code Analysis

Tools are used for static code analysis to find vulnerabilities in the source code.
 
  •  

Risk Assessment

Potential security risks are identified and assessed throughout the entire development process.
  •  

Vulnerability Management

A process has been implemented to detect, assess and remediate security vulnerabilities.
   
 

Version Control and Configuration Management

  •  

Version control

We use version control systems (e.g. Git) to track changes in the code and ensure traceability.
 
  •  

Configuration management

We ensure that all configurations are securely managed and documented.
 

Incident response and emergency planning

  •  

Contingency plans

Contingency plans have been created and are continuously maintained to enable a quick and effective response in the event of a security incident.
 
  •  

Incident response

We have established a process for responding to security incidents, including analyzing and rectifying the causes.

   

Hosting / SAAS

We know that a secure system is important to you, especially if you host Projektron BCS with us or our service provider.

Our measures for secure hosting

Location and availability

  •  

Data center in Germany

The data center is located in Germany and is subject to high security levels. It belongs to the Tier IV class with redundant ISP POP.
 
  •  

Backup and recovery

The hosting offers backups and, if necessary, a quick recovery.
  •  

Certified

Our data center and Projektron's security-related areas are certified according to ISO 27001. The data center also has other certificates: VdS ISO 9001 NSL and IS, DIN 14675 for BMA and DIN EN 50518.
 
  •  

Availability

We guarantee the agreed availability, which is permanently monitored.
 

Physical security and access control

  •  

Access control

The data center may only be accessed by authorized persons who have been entrusted with the fulfillment of tasks and who have registered in advance.
 
  •  

Security

The data center is guarded on-site 24/7, 365 days a year. 
 

Security tests and updates

  •  

Automated updates

The virtual machines and Projektron BCS are updated automatically so that they are always up to date and secure.
 
  •  

Maintenance window

There are regularly scheduled maintenance windows for importing updates and patches. In the event of an acute security breach, unscheduled updates will be carried out, with two hours' notice.
  •  

Pentest

Our hosting is subjected to a pentest annually.
   
 

Data and access security

  •  

Separate database servers

Customer data is stored on separate database servers. This enables better performance and the setup of individual interfaces.
 
  •  

SSL

When hosting, you access Projektron BCS via encrypted access with an SSL certificate.
  •  

VPN tunnel

The virtual machines cannot be accessed via the Internet. Projektron only accesses these via VPN tunnels.
 
  •  

Firewall

A centralized firewall with strict filter rules individually for each customer protects you from external attacks. A firewall for web applications can be provided upon request.
  •  

Secure connections via HTTPS/SFTP/SSH & SCP

You generally only access your virtual machine via secure connections (via HTTPS/SFTP/SSH) and create backups or data copies (via SCP) in this way, for example.
   
 

Additional services and training

  •  

KVD

Our customers are automatically connected to the configuration versioning service (KVD). This means that their configurations are managed within an SVN repository.
 
  •  

Further training

Employees receive further training tailored to their needs in the security of hosting services.

   

Support portal & Web App

The following measures provide an overview of the most important security and configuration settings that make the Projektron BCS support portal and web app even more secure and efficient. Find out how to optimally protect your data and customize the platform to suit your needs.

Our security measures for the support portal and web app

Support portal

  •  

Transport security

Transport security in the support portal is ensured by the optional but recommended use of HTTPS.
 
  •  

Message exchange and authentication

Messages are exchanged via SOAP, with authentication being ensured by username and password in the SOAP header. The synchronization user should be protected with a strong password because it has extensive rights. This password should be stored in the password
  •  

Configuration of the Attributes to be Synchronized

The attributes to be synchronized can be configured, whereby sensitive attributes can be excluded from synchronization.
 
  •  

Port Restrictions

Port restrictions can be applied to specifically restrict the HTTP exchange between the systems involved.
 

Web App

  •  

Transport security

The transport security of the web app is guaranteed, as it can only be used in conjunction with HTTPS.
 
  •  

Authentication and cookie management

Authentication is carried out via a username and password, followed by the use of a long-lasting cookie that is stored securely in the memory and removed from the app when you explicitly log out.
  •  

Rights application during synchronization

When synchronizing from the Web app to Projektron BCS, the rights set in BCS are applied.
   

   

Interfaces

This is where you will find an overview of the central security aspects when using interfaces in Projektron BCS. Regardless of whether you are integrating Microsoft Exchange, Microsoft 365 (Exchange Online) or Jira, this is where you will learn how to ensure transport security and which authentication and authorization methods are used.

Our interfaces from a security perspective

Microsoft Exchange On-Premises

  •  

Transport security

Transport security for Microsoft Exchange on-premises is ensured by the optional but recommended use of HTTPS.
 
  •  

Authentication

Projektron BCS supports the BASIC, DIGEST and NTLM authentication types, which are, however, vulnerable to certain attack patterns. BCS does not yet support the modern AD FS authentication type, which is based on OAuth 2.0 and is used by Exchange 2019.
 

Microsoft Exchange Online

  •  

Transport security

When using Microsoft Exchange Online, transport security is guaranteed by the exclusive use of HTTPS.
 
  •  

Authentication

Secure, token-based authentication provides additional protection when using Exchange Online.
 

Jira On-Premises

  •  

Transport security

Transport security for Jira On-Premises is guaranteed by the optional but recommended use of HTTPS.
 
  •  

Message exchange

The message exchange is done via SOAP, where the password of the sync user must be securely protected.
  •  

Impersonation and security

After logging in via the sync user, impersonation is used to store actions in the context of the logged-in user.
   
 

Jira Cloud

  •  

Authentication

In Jira Cloud, authentication is done via an API key on the user via the REST interface in BCS, whereby the API key is securely created and stored.
 
  •  

Security recommendation

It is recommended that Jira Cloud and Projektron BCS be installed on the same system to be able to block ports through a firewall.
  •  

User management

Only the administrator can manage the user assignment mappings in BCS.
   

  

Tanja Maier

Controlling, SSC-Services GmbH

“[The] risk management of [Projektron] helps us, among other things, to meet the requirements of the TISAX and ISO labels. We store agreements such as service level agreements and non-disclosure agreements for the corresponding projects, record whether relevant information values are processed in the project and whether scheduling has been contractually agreed. Risks and, if applicable, opportunities are stored in the project by the project manager.”

Michael Schäfer

Managing Director, Schutzwerk GmbH

"We wanted an all-in-one solution that covers our high security requirements and supports us in handling our audit projects in the area of cyber security. In addition to the use of basic project management functions, especially for many smaller projects, cross-project resource management and automation from service recording to invoicing are essential for us. Projektron BCS also supports us in the efficient implementation of our internal projects, such as certifications."

Carsten Münch

First Business Partner & Team Coordinator Application Management, TÜV Rheinland Service GmbH

"We have implemented single sign-on so that our employees don't have to enter a password and can use a secure and modern login procedure."

Thomas Hackenbuchner

Head of Finance & Administration, MicroNova AG

"When it comes to information security, BCS provides support through the option of assigning additional attributes to projects. For example, we can classify projects in terms of their need for protection or mark whether it is a project with prototype protection. Based on these markings, we can derive and initiate further process steps."

Kevin Botsch

BCS Technical Product Management, Finanz Informatik Solutions Plus GmbH

"As a consulting, development and integration service provider for business applications in the financial sector, software security and transparent processes are important to us. Due to our growth to date and the constantly increasing number of users, user-friendliness and intuitive operation have also become important factors. With Projektron BCS, we have found a system that meets these requirements exactly. In addition, BCS can also be flexibly adapted to our needs and enables us to make numerous process improvements."

 

Quality and information security management at Projektron GmbH

In addition to secure software development and secure hosting, efficient business processes are at the core of our project management software and our company. That is why we have implemented a comprehensive quality and information security management system.

 

Quality and information security management at Projektron GmbH

Your contact

Our helpdesk

is your contact point
about Projektron BCS.

+49 30 3 47 47 64-200
helpdesk(at)projektron.de

Free-of-charge
online presentation

Let us show you Projektron BCS via web conference.

Sign up

All references To top