The pOwer of source code

 tl;dr 
Traditional black box penetration tests are limited, and the complexities (and attack surface) of systems can be hidden. Using source code and design information to assist with testing can uncover hidden attack surfaces and provide tremendous value in an otherwise time-limited engagement. 

Providing source code to help with an engagement can result in great benefits for both parties. This post is intended to provide some insight into how source-code assisted pentesting can result in great outcomes for everyone. 

Introduction: 
10-15 years ago, source code was a valuable commodity. A company could easily spend tens of millions of dollars on developers, and the value of the platform would predominantly be the IP (Intellectual Property) - the source code and the product itself. In 2025, while developers are still reasonably valuable , the barriers to developing or reproducing software have dropped significantly and the value in software products has shifted.  

A lot of source code is based on open-source libraries. In ye olde days, everything was custom - now it's generally asmaller custom layer, with a lot of open-source components. Using and analysing source code is an efficient way of not only testing the application itself, but finding paths between the application and the libraries in use. 

The benefits: 

• Excellent time to value proposition 
• It is a more efficient use of resource and money 
• We can identify and validate bugs much faster 
• It allows us to provide much more specific remediation advice 
• Early elimination of false positives 
• ​It allows us to take in the solution as a whole 

The resistance:
We have heard a lot of reasons as to why people can't/won't give us source code, including: 

•  "This is our IP!" 
• "It's proprietary!" 
• "We can't trust you with it!" 
• "It's difficult for us to provide you access" 

We get it. You have this software that does something unique, and you're worried about your source code leaving the hands of your developers. You may also just be interested in getting some 'compliance' because you might it need to onboard a big customer. Let’s try and go beyond compliance and give you as much value as possible. 

White box testing: 
This testing is performed with full source code and related design documents to assist with testing. This type of testing is extremely efficient at uncovering hidden attack surfaces and can lead to significantly better results.  

Black box testing: 
​This testing is performed without an internal knowledge of what is being tested, and the testing focuses on the external behaviour of the software based on testing input. The reality is, we use our experience, some frameworks/methodologies, and various heuristics to throw things at an application and try and understand the inner workings of the application. 

Grey box testing: 
Somewhere in between black and white box, the testing involves similar behaviour checking to black box testing. However, the tests are more informed and can use source code or other normally hidden details about the inner workings of the application to develop test cases. 
We work pretty hard to execute code on your machines 
As a penetration tester, we work hard to execute code on your servers. We also work our way across a breadth of vulnerability checks and exploits to try and cover as much ground as possible in a very short timeframe. 

We're going to try to get your source code anyway, whether that be reverse engineering binaries that we found, downloading AMI images from AWS, finding git repos, or looking for git in web root (it happens). 
 
This is a team sport / we want the same outcome 
Cybersecurity is a team sport. We're not here to say, 'your code is bad, you should feel bad', or to use silly language comparing code bases to cybertrucks on fire. 
 
We don't know the context in which this code was written, we don't know your software lifecycle, we don't know what your marketing team promised to your biggest customer or the timeframe they promised it in. All we know is that you’ve come to us to help uplift your security posture, and providing source code allows us to do just that.