The most promising approach is to follow the flow of user specified
data through the code. In a network server, for instance, locate the
main dispatch functions that reads data from the network, and calls
functions for processing it. Follow the flow of execution as the user
specified data is passed around, analyzed, etc. This approach can give
you a very high level of confidence in the code; the drawback is that it
usually requires you to learn a lot about the application's internals,
which may be tedious or even impossible.