Security Consultant Spotlight: Clarence Panganiban

Clarence Panganiban

Offensive Security Engineer, Philippines

‍

Clarence Panganiban is an Offensive Security Engineer, ethical hacker, and member of VikingCloud’s Cyber Threat Unit. Clarence is responsible for conducting quality assurance (QA) checks of customer reports and performing customer penetration testing on Web Applications, APIs, Networks (External and Internal), and Mobile Applications.

‍

Clarence oversees the Web and Mobile Application Vulnerability Assessment and Penetration Testing (VAPT) for iOS and Android in-house tools. He also conducts client technical briefings and leads the weekly Vulnerability Round Table, in which the QA Team picks a noteworthy vulnerability or tool to share with colleagues on VikingCloud’s Cyber Threat Unit.

‍

Clarence joined VikingCloud nearly 3 years ago as a Mobile Application Penetration Tester and has been working in the cybersecurity industry for nearly 9 years. Before working at VikingCloud, he was a Mobile Application Security Consultant, handling iOS and Android Application testing, mobile and application testing, QA, and team training. Clarence holds a BS in Computer Science and Information Technology.

‍

Interview with Clarence

‍

Q: What’s your favorite security vulnerability and why?

‍

A: I would say the Response Manipulation technique because it is one of the vulnerabilities that some developers overlook or just ignore, as it is oftentimes considered ‘easy’ to find. And while it may be easier than other vulnerabilities, detecting it – and leveraging its presence to trigger additional testing is crucial for security because it can lead to multiple vulnerabilities, such as one-time password (OTP) bypass, Registration Bypass, Account Takeover, Locked Account bypass, and more.

‍

I was recently testing a financial application and experienced the Response Manipulation vulnerability. I was able to bypass the OTP, manipulate the response while logging in by changing the ID, successfully forward the response, and log in to a different account, seeing the funds and other personal details.

‍

Q: What is the primary cause of breaches you often see? Do you have any relatable stories you can share?

‍

A: In my experience, what I’ve seen most as the primary cause of breaches is Broken Access Control. An example is a mobile application for a healthcare provider with an Insecure Direct Object Reference (IDOR) vulnerability. In this vulnerability, the user ID is in the URL and by changing it, it brings you to a different account profile that will show personally identifiable information (PII), patient health conditions, and more. This type of vulnerability violates the person's privacy and is often overlooked by the developers.

‍

Q: If you could give one piece of advice to our customers, what would it be?

‍

A: I would advise companies always to prioritize digital security and privacy. Conducting vulnerability and penetration testing regularly will significantly enhance the security posture of a company and will also help identify and address potential weaknesses before they can be exploited. Lastly, be vigilant and proactive in safeguarding your business to protect from malicious actors.

‍

Clarence proudly shares his many years of experience with the rest of the VikingCloud Cyber Threat Unit. His deep understanding of mobile and web application testing has enabled him to provide guidance and expertise internally for product development and our customers. We’re thrilled that he’s a part of the VikingCloud team.

‍

Learn more about Clarence on LinkedIn: https://www.linkedin.com/in/clarence-panganiban-73a8989a/.

‍