Penetration Testing: White Box or Black Box That Suits You More?

Penetration Testing: White Box or Black Box That Suits You More?

Go to a security expert conference and ask them this question: “which technique should I use in penetration testing, white box or black box?” You would receive a never-ending argumentations and explanations on two different sides of point of view.

On the blue corner, there will always be people who argue that white box penetration testing works better because it can give you a deeper, more thorough testing and time efficiency. On the red corner, other experts will explain how black box technique is more realistic as usually real attackers are not able to gain all inside information details.

As we all know, the basic difference between white box and black box technique lays on the information received by the testers. On white box penetration testing, testers use the knowledge of the internals of the target system to elaborate the test cases. This insider information includes design information, interviews with developers/analyst for application penetration test, or network maps and infrastructure details in infrastructure penetration test. On the other hand, black box technique gives almost no information to the testers, apart from the very basic information such as domain name. Testers need to find their own way to break into the system.

It is of course that both white box and black box techniques have their own advantages and disadvantages. Therefore, the penetration testing technique that suits your organization most depends on the objectives. For example, if you want to check how safe your system is from internal attackers, white box testing will fit you more because employees, partners, and stake holders usually have access to the system or application of our organizations. On the other hand, if you want to check how well your company’s information is hidden in the system, black box testing should be performed.

However, in real world, attackers can use both technical techniques (e.g. DNS mining) and social techniques (e.g. approaching employees) to find access to the company’s system. Attackers understand that there will always be human errors as the leakage for the security link where they can gain more information about the systems.

For these reasons, it is common that the middle way – called gray box penetration testing – is chosen. Gray box penetration testing provides partial information to the testers. This information is not limited to basic information that can be easily found by doing research but also some other details that are possibly found by some social engineering methods. This technique is also a win-win solution for organizations who do not want to give out too much confidential information to outsiders, when they use third-party testing company. In practical, gray box penetration testing is the most common one to be performed.

Although gray box penetration testing is widely used at the moment, if you insist to have separate black box and white box penetration testing technique, it is suggested to conduct black box penetration technique first before conducting the white box penetration technique.

The reason for this sequence is that black box technique tells you how well your data is hidden, that attackers are not supposed to be able to found. After knowing it, it is the time to know what will happen when attackers are able to gain enough information before attacking the network.