When testing source code and compiled apps:

  • Perform static code analysis of any source code you obtain in the pen test.
  • Use static code analysis to look for vulnerabilities in the code.
  • Perform dynamic analysis of compiled apps you target in the pen test.
  • Test an app's inputs, behavior in specific environments, and interaction with other apps.
  • Use automated tools to optimize the static and dynamic analysis processes.
  • Use fuzzers to send an app's input random or unusual values.
  • Reverse engineer software to learn more about how it works.
  • Use a decompiler to translate a binary executable into high-level source code.
  • Understand that decompiled code can be obfuscated and not completely true to the source.
  • Use a disassembler to translate a binary executable into assembly code.
  • Understand that disassembled code can be difficult to read.
  • Use a debugger to perform interactive reverse engineering on an app.

Follow NASA's 10 Rules:

The Power of 10: Rules for Developing Safety-Critical Code - Wikipedia