So, another year has come and gone and you still have that feeling. That little voice inside that says, “I wonder how good our cyber security is…” Is that super critical application just sitting out there on the internet scared and alone? Maybe now is finally the time to look into it, but where to start?

What kind of test should I use?

Typically, when you hear someone explaining pentesting they divide the testing process into a few groups: black box, white box, gray box, maybe even crystal box, but that is not what I am going to get into here. If you are unfamiliar with those terms, stop now, go read about them a little, and come back to me. I’ll wait.

Now, we are going to delve into another breakdown, specifically with regard to application security assessments - static, dynamic, and hybrid.

Static Code Analysis (SCA) is an analysis of the application source code performed in an offline manner. There are a few different ways to handle SCA, and there are many products that will aid in finding bugs. All of these work in the same way; they look at the text of the source code and the flow of the code paths to determine if any errors, oversights, or misconfigurations will negatively effect the application at runtime. Unfortunately, SCA is prone to false positive findings, as the analysis tool cannot know what data will be in a variable or how other components may alter the code flow. The cleanup process requires human intervention and can be very labor intensive. Basically, somebody has to make the call whether that log entry really will contain Personally Identifiable Information (PII) or that output string really is vulnerable to Cross-Site Scripting (XSS).

The opposite of static testing, naturally, is dynamic testing. This is where a pentester sits down at the live, running application and tries to break it. Utilizing real servers and live data in the database, the dynamic test will look at every facet of the application as it presents itself to normal users. This is where we find live vulnerabilities like privilege escalation, authorization bypass, and brute-force weakness.

Hybrid is my favorite type of testing, as it really is the best of both worlds for application security. When I work on hybrid tests, I typically have the source code open at the same time as the application, and they feed off of each other. A hint of a bug in dynamic testing can be verified and refined through examination of the corresponding code. A potential finding from SCA can be tested dynamically to validate whether it really is a vulnerability or not and how difficult it is to exploit.

Hybrid testing gives the best possible answer to the question that everybody really wants to know – “What is the risk?” By crafting a proof-of-concept exploit for a given vulnerability, it is easier to determine how much custom code, time, and effort goes into exploitation. The dynamic testing will tell me exactly what an attacker is able to accomplish by performing this attack, and the source code shows me exactly where the vulnerability can be remediated.

Great, when do we start?

In most modern development cycles there is never really a good time to just stop everything and let the security people poke around doing whatever it is they do. Thankfully, there are ways to perform the assessments out of cycle with little to no interruption to the dev team. With the proper preparation, you will never know we were there (until you get the report).

How do I get ready?

So here’s the thing. You do not want to have to pay me to sit around and wait on administrative processes. I would like to avoid that as well; I want to start immediately providing value to you and making your work life just a little bit better. Check off all of these items ahead of time and we will all be much happier:


Source Code

Test Environment


Special Considerations


If you do not watch the news, allow me to summarize. Criminals are hacking everything that is connected to the internet, and some things that are not. While there are indeed people that prefer to have an adversarial “Red Team” type of test, that is not always the best path. If you got this far in my post, you probably already know that is not what you are looking for. Working closely with a testing provider and fully preparing beforehand will yield far better results.

If your organization is new to cyber security, do not worry about perfect scores or who to blame. The past is gone, make a plan for the future that will help to keep your organization off of the list of public security breaches.

Pick something and get started.