Information security professionals understand the need for pentetration testing on a periodic basis to identify vulnerabilities in the infrastructure that should be addressed. Penetration tests should be conducted at least annually or upon major changes to the organisations infrastructure, but what is the difference between white and black box penetration testing? And how can you tell whether white or black box penetration tests are right for the organisation?
So, firstly lets start with the difference between white and black box penetration testing.
White box penetration testing, also known glass box testing, consists of testing infrastructure or services with details of that system provided. For example, the testers may be provided with IP addresses, source code, design information or anything else that provides details to the ethical hacker. The aim of this type of testing is to provide as much information to the penetration tester as possible to maximise the testers knowledge of the system or application and identify bugs or vulnerabilities that would not of otherwise been spotted.
The advantage of white box testing is that it covers a more comprehensive set of the application or infrastructure that black box testing otherwise wouldn’t. White box testing is thorough and can include source code review of an application. White box testing is not done from the perspective of an attacker, which can sometimes give results that are not a bit too exhaustive. For example, a vulnerability identified in source code that is not externally facing may not be a risk or an issue to many organisations, therefore, the use of white box testing is probably not required.
Organisations should be careful with how they scope their penetration tests and understand when white and box testing may be required. In contrast, black box testing takes the form of an external (or sometimes internal) attacker with no prior knowledge of the application or infrastructure. The attack assumes no knowledge, therefore the tester will research all open source methods to identify any information and undertake an attack as an external party. This type of testing is how traditional penetration tests are undertaken and will give a good indication of how vulnerable the organisation is to attacks from external parties with no prior knowledge of the system.
The best way to remember the difference between white and black box penetration testing is by imaging a clear box or a dark box. In the case of a clear box, you can see everything in it and there are no secrets. For a black box, the tester has no idea of what the system or application is and must test as if they are a real attacker. The real key is identifying when you may require each type of test and how the results can be helpful to you or your organisation. White box testing is generally useful once before go live of a project to conduct a thorough review of all aspects of the application or system. With a white box test, you are able to leverage the expertise of the tester to identify any issues throughout the application or system. Black box testing should be undertaken at least annually or upon major changes to the infrastructure to maintain an appropriate level of security for all systems and applications.
Lee Hazell is an information security consultant and owner of Cyber security news.