The desktop client is often the last mile of enterprise security. It is launched with user permissions (in some cases even administrator permissions), works with sensitive certificates, communicates with the backend, and its compromise allows for:

Local privilege escalation and access to domain login credentials

Lateral movement within the environment

Manipulation of business processes through the user interface

Use of trusted signatures to spread malware in the supply chain

Main objectives of the test

01

Detect vulnerabilities in binary code and configuration – buffer overflows, DLL hijacking, uncontrolled library loading, IPC errors.

02

Verify the update mechanism – package integrity, signature checks, downgrade attacks.

03

Assess the level of OS and EDR hardening – whether it can block injection techniques and post-exploitation tools.

04

Measure the impact on the organization’s resilience – the SOC’s ability to detect and control incidents, speed of remediation.

Phases of a desktop application penetration test

1. Information Gathering

We collect basic information about the application: how it’s distributed, which libraries it uses, and where it gets its updates from.

2. Application Analysis

We analyze how the application works internally and observe its behavior at launch to understand its structure and functionality.

3. Vulnerability Discovery

We test various inputs to determine whether the application responds correctly, aiming to discover flaws that could be exploited.

4. Vulnerability Verification

We check if the identified issues can be exploited in practice, e.g., to bypass security restrictions or escalate privileges.

5. Maintaining Access and Further Testing

We examine whether it’s possible to persist in the system after a reboot and what further actions an attacker could take (e.g., accessing other user accounts).

6. Network Movement Simulation

We simulate how an attacker might move laterally across a corporate network after initial access, for example, accessing other systems.

7. Final Report and Recommendations

The result is a detailed report with both technical and managerial summaries, severity assessments, and mitigation recommendations. The test is repeated after fixes are implemented.

Typical vulnerabilities of desktop clients

Insecure Updates – The application downloads updates without encryption or origin verification, allowing an attacker to inject a modified installer with malicious content.
Unprotected Library Loading – The program loads critical files from the wrong or unsecured locations, potentially executing malicious code.
Unsafe Configuration Handling – The application mishandles configuration files, potentially allowing execution of attacker-inserted code.
Weak Application Component Isolation – In applications using web technologies (e.g., Electron), components may not be properly isolated, enabling system breaches.
Credentials Embedded in Code – Hardcoded credentials or keys in the application can be easily found and misused by attackers.

Regulation and connection to DORA

According to Article 25 of DORA, penetration testing of desktop applications falls under mandatory basic testing for systems supporting critical or important business functions.
Frequency: at least once a year for companies that are subject to this regulation, or before each deployment of a new major version.
The output must be documented vulnerabilities, a remediation plan and verification of removal; results from critical applications may be subject to supervisory review.
For financial entities designated for TLPT, desktop findings become input into a threeyear red team cycle.

Test team requirements

Reverse engineering expertise – Windows internals, PE structure, memory corruptions.
Certification – e.g., OSCP, CEH, or CRTP confirming experience in exploiting client applications.
Independence – the internal team must be organizationally separated from development; external teams must meet liability and confidentiality criteria.

Benefits for the organization

Reduced risk of supply chain attacks – proactive testing of the update channel.
Strengthened endpoint defense – fine-tuning EDR configuration to maximize the chance of detecting real techniques, tactics, and procedures (TTPs).
Improved secure coding processes – development receives PoCs for identified vulnerabilities and patch patterns for this type of vulnerabilities.
Compliance with regulatory expectations – clear evidence of “security by design” for banks and insurance companies for supervisory authorities.

Why work with BDO?

BDO provides penetration testing of desktop applications as part of a broader strategy for securing software solutions and protecting critical business functions. Tests are conducted in line with European DORA regulations, NIS2 recommendations, and proven security standards such as OWASP MASVS, NIST SP 800-115, and OSSTMM.

01 Regulatory framework knowledge

We understand DORA, NIS2 requirements and can tailor tests to produce audit and oversight ready outputs. We assist in defining a testing strategy and aligning it with other testing types (e.g., TLPT, penetration testing).

02 Independence and credibility

As an independent consulting firm, we provide objective and trustworthy results. Our work serves as a quality signal to regulators and clients’ internal leadership.

03 Technical expertise and experience

Our team has deep experience in reverse engineering, binary code analysis, and testing of client applications in Windows environments. We use advanced tools like IDA, Ghidra, Burp Suite, WinDbg, and fuzzers (e.g., AFL++, libFuzzer). Our specialists hold certifications such as OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO, and others. They have tested applications for large banks, insurers, ICT providers, and e-government service platforms.

Desktop applications penetration testing