| ||
Code review is best, but you can also try to attack the application to make it fail just to see the error messages. You should also use and misuse the application as a nonadmin and see what information the application divulges.
For validating the practicality of timing attacks, it will generally require dynamic testing. But it also requires a reasonable understanding of statistics. Were not going to cover that here, but we will refer you to Dan Bernsteins work on cryptographic timing attacks (see the Other Resources section).
For grins and giggles, you should emulate the stolen laptop scenario. Have someone use the application youre testing for a few weeks, then take the computer and attempt to view the data on it using various nefarious techniques, such as:
Booting a different OS
Installing a side-by-side OS setup
Installing a dual boot system
Attempting to log on using common passwords