Updated on: June 24, 2024
SafetyDetectives recently had the opportunity to interview Alex Harper, the Head of Penetration Testing Practice at Evalian. Alex leads a dedicated team of security testers who specialize in a broad array of security assessments, including penetration testing, web application testing, and cloud security evaluations. With a reputation for thorough and collaborative testing methodologies, Evalian stands out in the cybersecurity industry. During the interview, Alex shared insights on Evalian’s unique approach to penetration testing, the impact of remote work on cybersecurity strategies, and emerging trends that will shape the industry in the coming years.
Can you introduce yourself and talk about your role at Evalian?
I’m Alex, I head up the Penetration Testing Practice at Evalian. I manage a team of twelve security testers, and we carry out a wide range of test types, including external and internal infrastructure pen testing, web application testing, API tests, and mobile testing, as well as cloud security testing and social engineering assessments for organisations across the UK.
What makes Evalian stand out in the cybersecurity industry?
We are highly accredited both as a company and as individuals (CREST certified for pen testing and vulnerability scanning), we’re also one of the first organisations in the UK to be accredited for CREST OVS for mobile and web apps – this standard provides assurance to the buying community that developers using CREST OVS accredited providers know that they are engaged with ethical and capable organisations with skilled and competent security testers leveraging the OWASP ASVS and MASVS standards.
Our methodology is extremely thorough, using a mix of manual and automated pen test tools. Automated tools have their place, but ultimately, they can’t do what a human can do, for example if an automated tool gets data back that it wasn’t expecting, it’s not going to pick up the issues. So, using both manual and automated techniques gives you a more thorough assessment of your infrastructure or apps.
The other more important aspect that makes us stand out and has kept our clients returning to us for their testing requirements, is that our approach to cyber security and penetration testing is extremely collaborative. Penetration testing companies can be – to coin a pen testing term – “black box”, where you put a scope and money in at one end, and a report comes out the other end, and you don’t really see the process that goes on. This isn’t helpful to organisations and can mean poor quality reports and less effective remediation strategies. We wanted to do things differently and work closely with companies during all phases of testing, starting with the scoping phase. We see hundreds of apps and systems a year and can pick up on trends and vulnerabilities that the company might not have thought of, so it makes sense to leverage this knowledge to best help our customers.
We also ensure we are in touch with organisations throughout the whole testing process, so there’s that level of transparency, keeping them up to date – telling them about critical vulnerabilities as we find them, as opposed to just flagging them in the report. After the report is issued, we have a wash-up call, to give the client the opportunity to ask any questions, so we know that they fully understand the issues they need to remediate. We don’t treat our penetration testing service as a transactional service, it’s so much more collaborative and consultative than that, unlike many other pen testing service providers that simply use automated pen testing tools and provide a branded output with no other real interaction.
How has the shift towards remote work affected cybersecurity strategies at Evalian, and what adjustments have you had to make.
Like all organisations, we were unsure what impact the pandemic would have on our business, but we continued to grow as organisations recognised that cybersecurity and data protection compliance remained critical. A security culture is hard to maintain when people are spread out across the country and working in their own homes. The shift in remote work saw a need for organisations to onboard new suppliers quickly and adopt many more cloud and SaaS solutions, which then brought a whole host of issues such as misconfigurations of security controls, with many just opting for the default settings to get things done quickly.
With larger supply chains, more systems and cloud platforms in place, it means a need for more robust security measures and more regular testing. Our team has grown rapidly over the last five years, as we are increasingly helping organisations define and implement security standards and helping plan incident response and supply chain security strategies.
Of course with our own business, as we grew, more stringent security measures have been put in place to ensure we are delivering quality services, and practicing what we preach, to ensure our clients have the utmost trust in us.
What strategies do you believe are most effective for protecting sensitive data in increasingly complex IT environments?
Cyber security and data protection are constantly having to evolve as the threat landscape changes. Organisations should treat their security strategies the same. Security testing and response planning shouldn’t be “set and forget” projects. Not only that, but ensuring your security strategy is up to date and robust, can help with compliance obligations, such as ISO 27001 and more recently, NIS 2 (if your organisation falls in scope of this).
We’d recommend the following be included in your security strategy:
- Regular penetration testing of infrastructure, or web / mobile apps, API testing, testing of cloud environments – at the very least, annually.
- Incident response planning and exercising. Setting an incident response team and making sure they are aware of their roles, ensuring policies and procedures are in place in the event of a cyber incident and a robust and regularly updated incident response plan is in place.
- Having a robust security onboarding process for third party suppliers, so this means effective security questionnaires, regular assessments and monitoring your suppliers.
- Regular cyber security awareness training for your employees – such as social engineering (identifying phishing attacks and knowing what steps to take in the event of one).
Given the evolving cyber threat landscape, how critical do you consider regular penetration testing for maintaining security in an organization? What unique insights can these tests provide that other security assessments might miss?
Penetration testing and vulnerability scanning are often confused, and some organisations rely solely on scanning and think it is sufficient. Misunderstanding these services can lead to security gaps. One way to think of the difference between a penetration test and a vulnerability scan is to think of it as an intruder trying to break into your home. They may look for open doors and windows that offer easy access. This is like vulnerability scanning: it’s quick, simple and focuses on obvious weaknesses.
However, a more determined intruder could walk up to your house, push against locked doors and windows to check for access, but then go a step further to gain entry. For example, they may pick a lock with different tools until they get in, and then see where this access point takes them. This is like penetration testing because it is more determined, in-depth, and accesses areas that may have looked safe on the surface, but in fact could be broken into with a bit more effort.
Similarly with assessments like cloud configurations, whilst reconfiguring settings can solve the surface issues, it doesn’t go further than that, whereas penetration testing of your cloud environment goes a few steps further and identifies any weaknesses within the cloud environment.
Which emerging cybersecurity trends do you think will have the most significant impact over the next five years?
There are a number of cyber security threats and trends we anticipate in the coming years. The obvious one is AI and machine learning. We are already seeing several platforms being advertised that claim to detect threats in real-time to give organisations those “instant answers”. Whilst these may seem cost-effective and will have a place, we would still always advise to err on the side of caution with AI.
We are already seeing much more focus on supply chain security management, and given the frequency of supply chain attack headlines of late, and the increasing connectivity of organisations worldwide, this is only going to continue to grow. Organisations will be investing more in mitigating risks in their supply chain.
IoT security will undoubtedly be prevalent in the coming years, as devices evolve, and endpoints often lack the required security.
We also anticipate enhanced data protection regulations and security compliance. With the enforcement of directives such as NIS 2 in the next few months, organisations in scope of this will be ensuring their cyber security strategies are robust and maintained, to avoid more stringent penalties and fines (which, incidentally, are also increasing)