Penetration Testing Black Box vs White Box

Sep - 30
2019

Penetration Testing Black Box vs White Box

Penetration Testing is the great way to assess the security risks associated with your IT systems, identify security bugs in your software and infrastructure and improve your company’s security posture. However, it may be difficult to choose what type of test you need, especially if it’s your first test. In this article we will explain the pros and cons of each type of test to help with your decision.

Black Box vs White Box

There are two general types of the penetration test: Black Box and White Box. Black Box means that penetration testers don’t have any information benefit when starting the test. They collect information about your system and software from publicly available sources also called Open Source Intelligence (OSINT). Pen testers will also make use of publicly available application functionality, like registering a user account. Your systems is essentially a “Black Box” for them when starting the test. White Box test is when you give pen testers private information about your system: architecture diagrams, source code, infrastructure map. Pen testers start the test with prior knowledge of how your system works.

Pros & Cons

The benefits and drawbacks of each approach are displayed in the table below:

Pros Cons
Black Box Test * Assess outsider threat risk without sharing any information about your system
* Simulates an actual outsider attack scenario
* Identifies Critical / High Risk findings appropriately
* Limits the thoroughness of the tests
* Not applicable when deeper system review is required (OWASP ASVS Level 2 and 3)
* More likely to produce false positive findings
* Does not address insider threat risk
White Box Test * Better quality findings with 100% confidence
* More medium/low risk-level bugs will be found
* Results in more thorough review of your systems
* Produces more accurate risk assessment
* Addresses Insider threat risk
* Requires you to share information about your systems

Now that you know the difference between Black and White Box tests, you can design your own type of test called “Grey Box”. Grey Box test is when you decide how much information you are going to share with pen testers. You may want to share some general details about architecture and infrastructure to stimulate pen testers ability to create attack vectors but withhold the source code and infrastructure details from them. This will lead to better quality Critical / High risk findings, but won’t help with finding more Medium / Low level bugs.

Conclusion

If you are performing the penetration test manually and use the same security firm for each test year over year, the benefits of White Box test may well outweigh the drawbacks. On the other hand, if you prefer to change pen testers every year, Black Box would probably be a more appropriate solution for you.

What makes us different

80% of the tests we perform at WhiteHackLabs are Black Box tests. When we perform a White Box test we make sure that our client still gets the benefits of Black Box test by purposely ignoring private information provided by the client at the beginning of the test. After performing the Black Box part of the test, we move on to review private system information to validate and produce more findings.