We have a mature desktop application (over 10 years old) which tracks time spent in organisations on activities such as meetings, emails, management reporting, systems & applications, processes and instant messaging.
A potential new client has recently asked for a static and dynamic pen test review and report from a reputable 3rd party supplier (the application is downloadable here http://www.qlockwork.com).
The application is comprised of
• a C++ exe that runs all the time on the desktop and talks to Windows via the WinAPIs (~6.5Kloc)
• a VB.Net Com addin that runs inside the local Outlook client. (~16Kloc)
They communicate asynchronously via XML files on the local disk. They should have very limited attack surfaces, and we can potentially make them even smaller.
We are interested in getting ballpark estimates for various options for pen testing. The client’s preferred PEN testing supplier are Gotham Digital Services (GDS), Context IS and Portcullis.