
Steve Kerns
More by Steve Kerns

Application Self Protection – A New Addition to the OWASP Top 10
June 6, 2017
OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection.

Open Source Software – Is It the Death of Your Company?
March 28, 2016
Open source software could contain licenses that are bad for your company or contain security vulnerabilities that could damage your software.

Dumping Memory on iOS 8
March 14, 2016
Back in January of 2015 NetSPI published a blog on extracting memory from an iOS device. Even though NetSPI provided a script to make...

The Way Back Machine – Microsoft Word for Windows 1.1a
March 27, 2014
On March 25, 2014, Microsoft released the source code for Microsoft Word for Windows 1.1a. They said they released it "to help future generations of technologists better understand the roots of personal computing."

PA-DSS 3.0 – What to Expect
November 14, 2013
The PCI Council has just released PA-DSS version 3.0. They have added new requirements, removed one, and changed a few. How this affects your application really depends on how you implemented security.

Outsourcing application development – what is missing?
October 3, 2013
I have been reading a few articles on outsourcing application development. Many of them have good information on what to look for and how to work with the companies doing the development. However, I have yet to see any of these articles talk about security and how to handle that in the outsourcing process.

Why does one QSA pass me and another would not?
April 11, 2013
A question came up about a PCI audit that was performed for one of our customers. They just finished their PCI audit and passed. I am now working with them on a new software application and there is a vulnerability in their application that was ranked as a high.

Code Review – is automated testing enough?
February 26, 2013
Comments on the PCI Council's requirement 6.3.2 that all code must be reviewed prior to release.

Mobile Application Testing – Where is it?
January 23, 2013
I was reading a few articles about how mobile devices, because of their popularity, are now the focus of malicious hackers. I thought this was interesting because many companies are developing applications for the mobile platforms and based on the information I have heard, they really do not have a formal process to test these applications for security.

Oracle’s stealth password cracking vulnerability
January 21, 2013
Steve Kerns comments on Oracle’s stealth password cracking vulnerability.

Happy New Year – Have you made your application testing resolution yet?
January 1, 2013
Now that we have come upon the new year, it is time to resolve to statically test (code review) and dynamically (penetration test) test your applications.

Compliance Impact of Virtual Artifacts
November 19, 2012
Steve Kerns' thoughts on the compliance impact of virtual artifacts.