Application security for the sales platform of Deutsche Bahn

Subtitle: How we are using a continuous shift left approach to create a sustainable and efficient security system for the sales platform of Deutsche Bahn.

The sales platform of Deutsche Bahn is one of Europe’s largest e-commerce platforms. With the entry points DB Navigator and ticket sales at www.bahn.de, as well as the partner interface for travel agencies, Deutsche Bahn enables private and business customers to search for train connections, purchase tickets and railcards, and receive notifications of schedule changes. There are few people in Germany who have never used one of these products. The revenue generated via this platform and the number of user accounts also make the sales platform of Deutsche Bahn an interesting target for organized attackers, and even script kiddies repeatedly try their luck.

The sales platform must therefore continuously protect itself against attempted attacks such as:

– Attempts to take over customer accounts

– Attempts to undermine sales processes

– Denial of service attacks to restrict the availability of the platform

The application security team for the sales platform supports specialists and developers in identifying vulnerabilities in the system at an early stage and preventing them from being exploited. Christian Georg is IT security consultant at Cologne Intelligence and heads the application security team for the sales platform. In his talk, he provides insight into how application security is integrated into the development process and what lessons other companies can learn from this.