Steve Kerns
More By Steve Kerns
Application Self Protection – A New Addition to the OWASP Top 10
OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection.
Open Source Software – Is It the Death of Your Company?
Open source software could contain licenses that are bad for your company or contain security vulnerabilities that could damage your software.
Dumping Memory on iOS 8
Back in January of 2015 NetSPI published a blog on extracting memory from an iOS device. Even though NetSPI provided a script to make...
The Way Back Machine – Microsoft Word for Windows 1.1a
On March 25, 2014, Microsoft released the source code for Microsoft Word for Windows 1.1a. They said they released it "to help future generations of technologists better understand the roots of personal computing."
PA-DSS 3.0 – What to Expect
The PCI Council has just released PA-DSS version 3.0. They have added new requirements, removed one, and changed a few. How this affects your application really depends on how you implemented security.
Outsourcing application development – what is missing?
I have been reading a few articles on outsourcing application development. Many of them have good information on what to look for and how to work with the companies doing the development. However, I have yet to see any of these articles talk about security and how to handle that in the outsourcing process.
Why does one QSA pass me and another would not?
A question came up about a PCI audit that was performed for one of our customers. They just finished their PCI audit and passed. I am now working with them on a new software application and there is a vulnerability in their application that was ranked as a high.
Code Review – is automated testing enough?
Comments on the PCI Council's requirement 6.3.2 that all code must be reviewed prior to release.
Mobile Application Testing – Where is it?
I was reading a few articles about how mobile devices, because of their popularity, are now the focus of malicious hackers. I thought this was interesting because many companies are developing applications for the mobile platforms and based on the information I have heard, they really do not have a formal process to test these applications for security.
Oracle’s stealth password cracking vulnerability
Steve Kerns comments on Oracle’s stealth password cracking vulnerability.
Happy New Year – Have you made your application testing resolution yet?
Now that we have come upon the new year, it is time to resolve to statically test (code review) and dynamically (penetration test) test your applications.
Compliance Impact of Virtual Artifacts
Steve Kerns' thoughts on the compliance impact of virtual artifacts.