The whole month of March 2021 has been a crazy one in the world of cybersecurity.
Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China code-named HAFNIUM and these vulnerabilities appear to have been adopted by other cyberattackers in widespread attacks.


I was recently asked which OWASP/DevSecOps/Application Security/Cloud Security-themed podcasts I listen to.

Here’s the list:

(please note that these podcasts are available on all/most podcasts platforms, in this list I only provide the Google Podcasts links):

Application Security Podcast (produced by Chris Romeo/ Security Journey): https://podcast.securityjourney.com/

OWASP Podcast (now known as DevSecOps Podcast Supported by OWASP — produced by Mark Miller — interview format): https://soundcloud.com/owasp-podcast

BeerSecOps — Podcast About Dev, Sec, Ops, and Everything in Between (run be Steve Giguere/AquaSec - Interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9mMzg2Njg0L3BvZGNhc3QvcnNz

DevSecOps Overflow (produced by Michael Man, interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkcy5idXp6c3Byb3V0LmNvbS83MzMwNzAucnNz

Absolute AppSec(produced by Ken Johnson and Seth Law, chat with guests) https://podcasts.google.com/?feed=aHR0cHM6Ly9hYnNvbHV0ZWFwcHNlYy5jb20vcnNzLnhtbA

Cloud Security Podcast: https://podcasts.google.com/?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy8xMGZiOTkyOC9wb2RjYXN0L3Jzcw&ved=2ahUKEwiHte_Uu4npAhUShhoKHcTBCLYQ4aUDegQIARAC

The Secure Developer Podcast (produced by Heavybit, interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly93d3cuaGVhdnliaXQuY29tL2NhdGVnb3J5L2xpYnJhcnkvcG9kY2FzdHMvdGhlLXNlY3VyZS1kZXZlbG9wZXIvZmVlZA&ved=0CB0Q27cFahcKEwi4kpi8uonpAhUAAAAAHQAAAAAQBw

DevSecOps Talk Podcast (Mattias Hemmingsson, Julien Bisconti and Andrey Devyatkin chat about latest stuff, and ideas): https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkLnBvZGJlYW4uY29tL2RldnNlY29wcy9mZWVkLnhtbA

Follow me on Twitter: https://twitter.com/securestep9


OWASP Nettacker screenshot showing detected and vulnerable Citrix device

Citrix CVE-2019-19781 vulnerability is the current hot topic in Information Security circles this week, as exploits for this vulnerability are now publicly available and may allow unauthenticated attackers to obtain direct access to the company’s local network from the Internet. Citrix NetScaler ADC and Gateway products are vulnerable.

According to…


This post is not Cyber Security related. A lot of my friends (who do work in IT and InfoSec/CyberSecurity fields), live in different countries (and are thinking of moving to the UK before the Brexit hits) keep asking me about the levels of salaries and tax in the UK.

I have therefore compiled this little helper table to help them understand how the annual salary in the UK (in tax year 2019–2020) translates into the monthly amount they will get in the bank after tax deductions (this is also known as “take home monthly” pay):

https://gist.github.com/securestep9/decd92d0437164ba65fa3c81f02434e9

Since I received many thanks from my friends, I think it will be useful for everyone, so publishing this in my blog.

Data source: listentotaxman.com


Quite often I am being asked the question: which Cyber Security — themed meetups/events/conferences are happening in London and which ones are worth attending?

First of all as a Chapter Leader of OWASP London Chapter of course I need to mention our OWASP London Chapter Meetups (or “Chapter Meetings”) which…


Has @Google gone mad? Legit support page asks to upload a photo of my Government-Issued ID and a photo of my credit card! To Google Cloud?? to “Verify” the account?? Cybercriminals will be thanking Google for this #phishing gift!

Here is the link if you want to try this yourself (real Google Support page, not phishing):

Of course the problem with this approach is that we have been teaching users in security awareness courses for two decades now that a legit website will never use such behaviour do that to “verify” he account, that’s what phishing website do…


Got an interesting and unexpected error message today from Firefox 58 which was running with just the default page — suddenly displayed a popup saying that a script on the following page is running slowly:

chrome://global/content/bindings/textbox.xml

I have found some references on Mozilla Developer site, however this does not look good from QA & testing point of view:

https://developer.mozilla.org/en-US/docs/Mozilla/About_omni.ja_(formerly_omni.jar)


While working on a mobile application security project for a client, I had to investigate all HTTPS calls made by an app using a “man-in-the-middle” technique essentially pushing all traffic from the test Samsung Galaxy S5 smartphone through an intercepting proxy. And I stumbled upon something really strange.

Every now…

Sam Stepanyan

Application Security Consultant, OWASP London Chapter Leader, OWASP Chapter Committee Chair, Cyber Security Blogger & Speaker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store