In today’s “Meet the ICS Expert” series, we are delighted to interview Gareth Paterson, co-founder of Incursion Cyber Security and one of our multi-disciplined Cyber Security consultants and Web Application Penetration Testers.   

Before we take a closer look into your remarkable career journey into cyber security, it would be great to gain an insight into the key drivers behind shaping your career and who you have become today.   

Interview Questions

1. Can you share a specific milestone that stands out that led you to a career as in Cyber Security and Penetration Testing?

“After a serving 24 years of my career in the army I was a bit lost on what to do next. Someone noticed I had an aptitude for technology and suggested I give cybersecurity a shot. In my first week, I ended up unintentionally kicking everyone off my home internet while learning about DDoS attacks. Surprisingly, that messy start turned out to be the beginning of my career journey from the frontline to command line.”  

2. What do you enjoy most about being a cyber security consultant 

“No two days are the same and I really enjoy helping companies solve their security problems. It’s great to chat to clients about potential attack vectors, sharing insights with them. I enjoy walking them through the types of vulnerabilities in their controls that threat actors can leverage, and how this could impact their business operations.”

3. Your consultancy offers a variety of penetration testing assessments however, not everyone is familiar with web application testing. What is web application testing? 

“Web application testing involves evaluating an organisation’s internal and external web applications. The aim is to simulate real-world cyber-attacks, uncover vulnerabilities, and assess potential risks. Ethical hackers, also known as penetration testers, utilise various tools and techniques to scrutinise the security and application logic. The end goal is to provide clients with detailed insights into potential attack vectors and recommend measures to enhance their controls and the application’s security, safeguarding against data breaches, unauthorised access, and security threats.” 

4. What types of training and skills do web application penetration testers need to be successful in their roles?

“Cybersecurity consultants must adopt an offensive mindset, possessing the ability to identify irregularities within applications. I have encountered situations where suspicions arose, prompting a more in-depth investigation, leading to the discovery of vulnerabilities. An understanding of the different layers of an applications architecture and how the application works, helps the consultant to identify vulnerabilities that can be leveraged by attackers. Entry-level qualifications, such as CREST CRT certification and The Cyber Scheme CSTM, show that the penetration tester has required skills and the capability to assess and ethically compromise the most critical web application vulnerabilities.”

5. How do you and your team keep abreast of vulnerabilities and the threat landscape 

“Professionals in our industry, including my team and me, prioritise staying well-informed about vulnerabilities and the evolving threat landscape via diverse channels. Personally, I consistently track security news, blogs, and forums. I subscribe to vendor alerts, actively participate in threat intelligence forums, and keep an eye on government feeds to stay ahead of emerging threats. Engaging with peers through professional networks, attending cybersecurity conferences and events, and investing in continuous education and certifications are integral components of staying current. As the saying goes, “It takes a village to raise a child,” and in cybersecurity, it takes a global community to safeguard the digital environment.”

6. What are the primary web application threats companies are facing? 

“Companies should be prioritising and protecting anything listed on the OWASP (Open Web Application Security Project) top 10. This list highlights the most common threats and critical web application risks. Security misconfigurations along with authentication and session management issues are some of the risks I often encounter whilst running a test.” 

7. What types of tools, testing methodology and steps do you and the ICS team use for web application assessments and penetration testing?  

• “ICS employs a refined methodology, that has been honed through experience having worked for some of the largest consultancies in the industry. This is continuously changing to ensure that we remain concurrent with the evolving threat Landscape.”

• “For web application assessments, our primary tool is Burp Suite Pro, that testers leverage to uncover up to 90% of the OWASP (Open Web Application Security Project) vulnerabilities. This suite is also part of the wider Kali Linux distribution, our dedicated pen testing operating system, that offers not only comprehensive testing capabilities but also generates a transparent audit trail through log analytics. This combination ensures precision and clarity in our assessments.”

8. Some organisations can overlook the needs to pen test internal web applications. Why do you think that it and what advice would you give to those organisations? 

“A lot of organisations underestimate the potential of vulnerabilities in their internal applications, assuming they won’t be targeted. However, whether it’s an external threat actor gaining internal network access or a malicious insider, if they exploit vulnerabilities in internal applications, significant damage can occur. For instance, during a test on an HR & Finance system, I managed to create a fictitious employee with an authorised multi-million-pound compensation package. My advice is to prioritise the assessment of internal applications to uncover and address potential vulnerabilities.”

9. What are the benefits of web application testing?

“Web application testing plays a critical role in ensuring applications do not disclose sensitive information about your company, clients or staffing information. It also plays a crucial role in protecting supply chains, particularly when it comes to Application Programming Interfaces (API’s), as they play a primary role in the seamless operation of the supply chain. Compromised API security can result in unauthorised access, data breaches or as we are seeing in recent attacks manipulation of information within the supply chain. A comprehensive web application test can help organisations to identify and address vulnerabilities in API’s reducing the risk of potential of business disruptions, compliance breaches or loss of business across the supply chain.”  

10. What advice would you give to a business that see web application and penetration testing in general as a cost centre rather than a business and compliance enabler? 

“Your external facing web application is your number one target for hackers within your application attack surface. It is the gateway to your company. If a business views a web application penetration test as a cost centre rather than recognising it’s potential as a business and compliance enabler, then we the industry have some work to do to change perspectives.”  

• “Web application and penetration testing should be seen as a strategic investment, emphasising its business implications beyond compliance. Reputation and trust are crucial in business, and even a simple defacement can lead to significant reputational damage. More sophisticated cyber-attacks can and do disrupt operations, causing significant damage and financial loss.”

• “By framing penetration testing as a business case supported by sound economics, CISOs, Security, and Technology leaders can showcase its contribution to organisational resilience. Understanding the value at risk makes the cost-benefit analysis highly compelling.”

At Incursion Cyber Security we offer a number of comprehensive and robust web application security assessments from certified experts. Discover how a pen test can help you maintain compliance and help your organisation win new supply chain contracts.

Get a fast web application pen testing quote from CREST and The Cyber Scheme certified security experts.