Headshot of Steve Kerns

Steve Kerns

More by Steve Kerns

Web Application Pentesting

Application Self Protection – A New Addition to the OWASP Top 10

OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection.

Learn More
Vulnerability Management

Open Source Software – Is It the Death of Your Company?

Open source software could contain licenses that are bad for your company or contain security vulnerabilities that could damage your software.

Learn More
Mobile Application Pentesting

Dumping Memory on iOS 8

Back in January of 2015 NetSPI published a blog on extracting memory from an iOS device. Even though NetSPI provided a script to make...

Learn More
Network Pentesting

The Way Back Machine – Microsoft Word for Windows 1.1a

On March 25, 2014, Microsoft released the source code for Microsoft Word for Windows 1.1a. They said they released it "to help future generations of technologists better understand the roots of personal computing."

Learn More
Vulnerability Management

PA-DSS 3.0 – What to Expect

The PCI Council has just released PA-DSS version 3.0. They have added new requirements, removed one, and changed a few. How this affects your application really depends on how you implemented security.

Learn More
Vulnerability Management

Outsourcing application development – what is missing?

I have been reading a few articles on outsourcing application development. Many of them have good information on what to look for and how to work with the companies doing the development. However, I have yet to see any of these articles talk about security and how to handle that in the outsourcing process.

Learn More
Network Pentesting

Why does one QSA pass me and another would not?

A question came up about a PCI audit that was performed for one of our customers. They just finished their PCI audit and passed. I am now working with them on a new software application and there is a vulnerability in their application that was ranked as a high.

Learn More
Vulnerability Management

Code Review – is automated testing enough?

Comments on the PCI Council's requirement 6.3.2 that all code must be reviewed prior to release.

Learn More
Mobile Application Pentesting

Mobile Application Testing – Where is it?

I was reading a few articles about how mobile devices, because of their popularity, are now the focus of malicious hackers. I thought this was interesting because many companies are developing applications for the mobile platforms and based on the information I have heard, they really do not have a formal process to test these applications for security.

Learn More
Network Pentesting

Oracle’s stealth password cracking vulnerability

Steve Kerns comments on Oracle’s stealth password cracking vulnerability.

Learn More
Vulnerability Management

Happy New Year – Have you made your application testing resolution yet?

Now that we have come upon the new year, it is time to resolve to statically test (code review) and dynamically (penetration test) test your applications.

Learn More
Vulnerability Management

Compliance Impact of Virtual Artifacts

Steve Kerns' thoughts on the compliance impact of virtual artifacts.

Learn More