When testing source code and compiled apps:
- Perform static code analysis of any source code you obtain in the pen test.
- Use static code analysis to look for vulnerabilities in the code.
- Perform dynamic analysis of compiled apps you target in the pen test.
- Test an app's inputs, behavior in specific environments, and interaction with other apps.
- Use automated tools to optimize the static and dynamic analysis processes.
- Use fuzzers to send an app's input random or unusual values.
- Reverse engineer software to learn more about how it works.
- Use a decompiler to translate a binary executable into high-level source code.
- Understand that decompiled code can be obfuscated and not completely true to the source.
- Use a disassembler to translate a binary executable into assembly code.
- Understand that disassembled code can be difficult to read.
- Use a debugger to perform interactive reverse engineering on an app.
Follow NASA's 10 Rules: