Approach for pentesting PaaS apps

There are some platforms that allow building custom applications from pre-prepared "blocks", such as ServiceNow or MS SharePoint. However these also allow to include own pieces of code to extend default functionalities. When you are given such an app in a pentest, how do you determine which components to skip (because these were already tested by vendor's team or bug bounty hunters) and to which pay attention to because these are custom? Of course ideally one would test entire app, but you know – time/money/etc.

Code review is one approach that comes to my mind, so you get an explicit list of functionalities produced individually by the client. Do you have any other ideas?

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s