Proving the Sum of the Parts Theory
A code assisted pen test (CAPT) is a combination of white-box (code) and black-box (software application) analysis where application code is leveraged as supplemental documentation throughout testing. It is different than a code review, which is driven from analyzing code first.
This technique primarily combines security testing with code-based correlation for:
Enhance test coverage (speed)
In our experience, this results in a higher number of vulnerabilities in a shorter amount of time versus a penetration test where the code is not available. This underutilized technique, while not revolutionary or new, can improve code security exponentially.
Accessing the Source Code
While conducting a CAPT, when abnormal application behavior is detected, the code can be referred to in order to discover the culprit for that behavior. Without the help of source code, the application functionality would need to be examined and the reason for the particular abnormal behavior inferred. This results in lost time on rat holes and can result in deeper or chained issues, or known framework issues, not being found.
Having direct access to the source code helps pinpoint the exact location of the vulnerability which in turn reduces the false positives. Having access to both a working application/system and the source code improves efficiency because potential problems can be identified in code and then verified by testing against the as-built system.
The Best of Both World's
To be more specific, this approach makes it easy to follow up on verifying business logic and mechanisms in place such as randomness (using secure random) and encryption (verifying encryption algorithms in use). Additionally, when testing front-end systems that leverage backend systems which aren’t accessible, having the code allows us to verify the connections to the backend are secure (i.e. not skipping certificate validation, not using encryption and authentication/authorization). Some vulnerabilities are much easier to test for in code, such as crypto issues and other algorithmic errors. CAPT provides the best of both worlds.
This improves efficiency and debunks a common myth that toggling between source code and the as-built application would be labor intensive. As an added value, having the code available can allow the tester to provide product and code specific fixes to issues found, saving developers time in research and development.
Tips for conducting a code assisted penetration test:
- 1. After locating an issue in testing, locate the issue in code and search for other areas using the problematic area or similar code.
- 2. Search for low hanging fruit such as secrets hardcoded in the source code, unauthenticated or hidden/dead API functionality, use of direct code execution functions, verification that backend connections are employing https and properly validating certificates.
3. Search for C/C++ banned functions and other specific keywords (by vulnerability type and language) in the codebase to find “quick wins”.
4. Run a custom vulnerability scanning script or code scanner to find out the low hanging fruit and other “possible” vulnerabilities.
Download our Code Review Keywords Worksheet - contains banned functions by vulnerability types and languages for you to copy and paste to search your codebase:
For organizations that have access to source code and are not constrained by logistical, legal and corporate policy issues, a code assisted pen test will always yield higher code coverage and vulnerability findings than a stand-alone pen test. Additionally, when looking at the source code along with the deployed environment, you get a broader view of the architecture, and deeper look into the application that can allow for identifying design level issues – another added benefit.
Security Innovation can conduct white-box, grey-box and black-box assessments for any software application type, and can help you better understand what is right for you. Learn more