In the Spotlight profile series: Chand Chauhan

Chand Chauhan joined Continent 8 Technologies in January 2024 working from the Montreal office as a VAPT Engineer, responsible for identifying and analyzing security flaws across systems and software. Our Meet Chand feature set the scene about his role in pen testing, now we’re catching up with Chand again to discuss the latest cyber trends and how his role has developed over the last 1+ year.

Hello Chand, you completed your one-year anniversary earlier this year. Can you tell us how your first year has gone?

It’s been a strong first year in my role as both a Pentester and Auditor. I’ve gained hands-on experience in geolocation-based testing, physical pen tests, and audits aligned with GLI standards and state gaming control board requirements across the US. As Continent 8 and C8 Secure provide services across many US states where online betting is regulated, specific state requirements can differ quite significantly, bringing more complexity to the role.

I also recently proudly cleared my CISA certification, which has deepened my understanding of audit frameworks and IT governance. This year has been full of growth, learning, and applying my skills in real-world, high-impact environments.

In your initial discussion with us, you had Cross-site Scripting (XSS), Insecure Direct Object Reference (IDOR), and SQL Injection (SQLi) as the most common vulnerabilities in your VAPT assessments? Is this still the case today?

Yes, these continue to be among the most commonly identified vulnerabilities in web application assessments. Cross-site Scripting (XSS), Insecure Direct Object References (IDOR), and SQL Injection (SQLi) remain prevalent due to recurring issues in input validation, access control implementation, and insecure coding practices. Even though frameworks and libraries have evolved to prevent such flaws, we still find them across both modern and legacy systems – particularly in custom modules and API layers. Access control weaknesses remain one of the most persistent risks across web, API, and mobile applications.

Cyber threats are constantly evolving. What are some of the biggest changes you have seen in the cybersecurity space?

The cybersecurity landscape is evolving faster than ever. The biggest change I’ve seen recently is the rapid introduction of AI and ML-driven technologies, not just in security tools, but within business applications themselves. As organizations adopt AI engines like ChatGPT and other LLM-based systems, a new class of vulnerabilities has emerged, including prompt injection, data leakage from AI training pipelines, and insecure model integrations.

Additionally, attack automation and social engineering sophistication have increased dramatically with AI-generated phishing, deepfakes, and automated reconnaissance. From a defensive standpoint, we’ve also observed a stronger push toward zero trust architecture, cloud-native security controls, and continuous monitoring, which are helping organizations adapt to these modern threats. 

Can you provide insights into some of the new initiatives you are currently working on?

We’ve recently expanded our penetration testing capabilities into physical and geolocation-based assessments, focusing on validating physical access controls and location-dependent functionalities such as geo-fencing in gaming and payment systems.

We’re also leading new initiatives and enhancing API and cloud pen testing frameworks to align with the latest OWASP and compliance requirements. These initiatives are not just about identifying vulnerabilities but also helping our customers align their security programs with regulatory standards like GLI-19, GLI-33, and NIST, ensuring both technical and compliance assurance.

Working closely with our customers when it comes to pen testing services, are there any best-practice recommendations you would offer to customers to strengthen their cybersecurity posture?

My key recommendation is to go beyond automated scanning. Automated tools are great for coverage, but they often miss deeper, business logic and access control vulnerabilities. Organizations should incorporate manual penetration testing by domain experts at least annually or after major changes.

In addition, maintaining a strong vulnerability management lifecycle, performing secure code reviews, and validating fixes post-remediation are essential steps. Finally, fostering a security-aware development culture through developer training and integrating security testing early in the SDLC (shift-left approach) can drastically reduce vulnerabilities before they ever reach production.

Let’s Get Started