One of the common questions that we get from our clients is about the differences between a black box penetration test and a white box penetration test.
White box testing, also known as clear box testing or glass box testing, is a penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases. In application penetration tests the source code of the application is usually provided along with design information, interviews with developers/analysts, etc. In infrastructure penetration tests network maps, infrastructure details, etc. are provided. The goal of a white box penetration test is to provide as much information as possible to the penetration tester so that he/she can gain insight understanding of the system and elaborate the test based on it.
White box penetration testing has some clear benefits:
- Deep and thorough testing
- Maximizes testing time
- Extends the testing area where black box testing can not reach (such as quality of code, application design, etc.)
However, there are also some disadvantages:
- Non realistic attack, as the penetration tester is not in the same position as an non-informed potential attacker
A black box penetration test requires no previous information and usually takes the approach of an uninformed attacker. In a black box penetration test the penetration tester has no previous information about the target system.
The benefits of this type of attack are:
- It simulates a very realistic scenario
The disadvantages of a black box penetration test are:
- Testing time cannot be maximized in certain scenarios
- Some areas of the infrastructure might remain untested
When commissioning a penetration test, there is no right/wrong decision about white box or black box, it really depends on the scenario that needs to be tested.