NetSPI Blog

Steve Kerns
June 6th, 2017

Application Self Protection – A New Addition to the OWASP Top 10

OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, they added two new ones. This blog discusses the first one in the list: A7 – Insufficient Attack Protection

Steve Kerns
March 28th, 2016

Open Source Software – Is It the Death of Your Company?

Open source software could contain licenses that are bad for your company or contain security vulnerabilities that could damage your software.

Steve Kerns
March 14th, 2016

Dumping Memory on iOS 8

Back in January of 2015 NetSPI published a blog on extracting memory from an iOS device. Even though NetSPI provided a script to make…

Steve Kerns
March 27th, 2014

The Way Back Machine – Microsoft Word for Windows 1.1a

On March 25, 2014, Microsoft released the source code for Microsoft Word for Windows 1.1a. They said they released it “to help future generations of technologists better understand the roots of personal computing.” I thought it would be interesting to perform an automated code review on it using CheckMarx, to see how they did related […]

Steve Kerns
November 14th, 2013

PA-DSS 3.0 – What to Expect

The PCI Council has just released PA-DSS version 3.0. They have added new requirements, removed one, and changed a few. How this affects your application really depends on how you implemented security. What's Been Added Req. 3.4 Payment application must limit access to required functions/resources and enforce least privilege for built-in accounts: By default, all […]

Steve Kerns
October 3rd, 2013

Outsourcing application development – what is missing?

I have been reading a few articles on outsourcing application development. Many of them have good information on what to look for and how to work with the companies doing the development. However, I have yet to see any of these articles talk about security and how to handle that in the outsourcing process. In […]

Steve Kerns
April 11th, 2013

Why does one QSA pass me and another would not?

A question came up about a PCI audit that was performed for one of our customers. They just finished their PCI audit and passed. I am now working with them on a new software application and there is a vulnerability in their application that was ranked as a high. This was discovered on an application […]

Steve Kerns
February 26th, 2013

Code Review – is automated testing enough?

We have worked with many companies that are following the letter of the law. The law being the PCI Council’s requirement (6.3.2) that all code must be reviewed prior to release. It states: 6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This […]

Steve Kerns
January 23rd, 2013

Mobile Application Testing – Where is it?

I was reading a few articles about how mobile devices, because of their popularity, are now the focus of malicious hackers. I thought this was interesting because many companies are developing applications for the mobile platforms and based on the information I have heard, they really do not have a formal process to test these […]