Perspectives of a Security Maverick written by Kenneth F. Belva

Kenneth F. Belva

Kenneth F. Belva is the Publisher and Editor-in-Chief of He recently developed IoT Crusher to as a solution to scan and detect privileged default accounts on embedded and legacy systems.

He currently works as a consultant in the financial services and health care verticals providing high level cyber risk-based guidance and conducting both technical and non-technical risk assessments focusing on web-based application security and network vulnerabilities while helping deliver security solutions .

Previously he managed an Information Technology Risk Management Program for a foreign bank whose assets are Billions of dollars where he reports directly to the Senior Vice President and Deputy General Manager (CFO). recognized him as one of the top information security influencers in 2007. He is a frequent speaker at NYC cyber events and has spoken at the NYC chapters of OWASP, ISSA, ISC2, ASIS as well as the New York Metro Joint Cyber Security Conference. He spoke at OWASP AppSecUSA 2015 and in the BioHacking Village at DefCon in 2017.

Mr. Belva also has a number of technical accomplishments, including a US patent on Cross Site Scripting including automated cross-site scripting exploitation techniques. Most recently in 2017 he found a series of serious vulnerabilities in IBM Merge PACS which affected 1/3 of the entire health care vertical. BugCrowd and Hacker1 validated XSS vulnerabilities he found in Yahoo, Yandex, OKCupid, and Angelist. He has since been credited with finding a number of other vulnerabilities on sites such as Netflix, joomla, Honeywell and Verifone. His 2001 work on Microsoft’s Universal Plug and Play vulnerabilities was cited at two major security conferences, Defcon and CanSecWest.

In 2009, he was published in the Information Security Management Handbook, Sixth Edition, edited by Hal Tipton and Micki Krause. He also co-authored one of the central chapters in Enterprise Information Security and Privacy, edited by Warren Axelrod, Jennifer L. Bayuk and Daniel Schutzer.

He was previously on the board of the Board of the New York Metro Chapter of the Information Systems Security Association (ISSA) where he served in various capacities over a span of 9 years. In 2009 he was Vice President. In 2008, he served as an Advisor to the Board. During 2006-2007 he was the Chair of the Public Relations Committee as an active Board Member. In this role Mr. Belva was in charge of communication between the Chapter and other information security related professional organizations. He was a Chapter Leader at OWASP NYC and OWASP Brooklyn between 2013 and 2017.

He has spoken and moderated at the United Nations as well as presented on AT&T’s Internet Security News Network (ISNN) on discovering unknown web application vulnerabilities as well as being interviewed on security enablement.

He recently co-authored a paper entitled “Creating Business Through Virtual Trust: How to Gain and Sustain a Competitive Advantage Using Information Security” with Sam Dekay of The Bank of New York. In 2005 he authored the contrarian paper: “How It’s Difficult to Ruin A Good Name: An Analysis of Reputation Risk” which was a leading paper on the impact of security breaches on stock prices. He is the author of the chapter “Encryption in XML” in Hackproofing XML published by Syngress. He taught as an Adjunct Professor in the Business Computer Systems Department at the State University of New York at Farmingdale.

Mr. Belva holds the Certified Information Systems Security Professional (CISSP). He previously held the Certified Ethical Hacker (CEH) certification and has passed the Certified Information Security Manager (CISM) exam.

Mr. Belva frequently presents at information security conferences around the US as well as globally. He writes on day-to-day information security experiences in a non-essay format at He can be followed on twitter @infosecmaverick.

What Cyber Security Can Teach Us About Preventing Mass School Shootings

– Cyber security deals with proliferation of insecure devices at a mass scale similar to the volume of guns. Cyber and physical security have overlapping protection concepts: The scale and insights of cyber illustrate why our current debate is frozen with people arguing the same tireless points that…

CISSP-squared: Passing the Exam a Decade Later

– In February 2003 I took and passed the CISSP exam. As much as the CISSP is the current industry gold standard (as a colleague of mine recently reminded me) it had even more prestige in 2003. Worldwide there were less that 45,000 certification holders in 2003 and it was the hallmark of excellence.…

The CIA Triad: Theory and Practice

– Recently published an article by Warren Axelrod entitled, It’s About Availability and Integrity (not so much Confidentiality). It appears that the article generated a bit of controversy with a response by Jim Bird entitled, It’s About Confidentiality and Integrity (not so much…

H1N1 Threat Overblown? Information Security Relevance? A Logic Proof

– “H1N1 was totally overblown. Nothing really terrible happened. No one suffered a pandemic and the resulting deaths were less in number than the deaths from the regular flu.” That’s a paraphrase of what some colleagues said to me. This sentiment is now echoed in the mainstream…

Cloud Computing Security at Newsweek

– Daniel Lyons will publish an op-ed on the insecurity of cloud computing in Newsweek‘s February 1st, 2010 issue. The  main thrust of the article can be summarized as such: But there is one big, glaring problem with cloud computing, and it just got laid bare in Google’s recent problems…