Black box, white box, and grey box. Besides being colours (or lack thereof), what differentiates them when it comes to penetration testing?
Black box testing is like walking into a lightless cave, prepared to fight with whatever you feel in front of you. It lacks the ability to prepare well, and encourages a more reactive approach as you come across new touch points within the system.
Hackers who have a lot of time (especially bad actors) will be more likely to do this type of testing. Besides having more time, a bad actor also usually has limited knowledge of the system that they’re attacking.
In some cases, companies looking for a penetration test will request a black box test as a “more accurate representation of what a hacker might do.” Is this true that a black box pentest could provide the same results? Not exactly. Running a penetration test black-box style does identify how a bad actor may be able to access the hidden system. Though, penetration testing is done on a limited timeframe. Meaning, a pentester will spend most of that precious testing time getting through surface-level defences like a WAF, and spend less time actually testing security on the application level. In the case of a bad actor who has a ton of time, they could continue to rummage through the application even after breaking through other protections. So, in some ways pure black box testing can be beneficial, but it’s not recommended.
In complete contrast to black box testing, white box testing is when the tester has full access to source code. In this option, the pentester can easily review the code to identify vulnerabilities. This is a helpful option for achieving a deep, truly comprehensive penetration test. Though, many companies can be hesitant to offer up their source code for review, especially if they are working with a penetration testing vendor for the first time.
What’s the middle between black box and white box testing? Grey box testing.
Grey box testing is when you have a better understanding of the system, and you may or may not have some source code. This approach is most effective for web application testing. Usually, additional protective measures like a WAF are disabled in grey box testing, so it’s easier for the penetration tester to get deeper into the system.
While most penetration tests are done in a black box, the most effective penetration tests are grey box.
Finds more vulnerabilities within the testing time.
In red teaming, the goal is to break into the application and find just one vulnerability to confirm that the application is penetrable. This is an ideal black box approach.
However, the point of a penetration test is to identify as many vulnerabilities as possible. When things like WAFs or other defenses are disabled, the penetration tester can spend more time within the application-level itself. With more time in the application layer, the penetration tester is likely to find a lot more vulnerabilities and therefore, offer more recommendations for a more robust, secure application. And with more results, you get more bang for your buck.
Still offers some level of privacy.
Some companies opt away from white box testing as they’re not yet comfortable handing over their open source code. Grey box testing is the compromise situation where a penetration tester can ask as many questions as needed about the application to help find deeper vulnerabilities, without needing the open source code. However, grey box testing can mean that companies provide bits of code where comfortable or required for a more effective test.
Clear goals can be defined.
Similar to the point above, the control remains in the company’s hands. They can determine how much information to provide to the penetration testers.
As our relationship and trust grows over time, companies can share more open source code to help us continue diving deeper and building a better understanding of the application(s). Again, this ensures a better penetration test and more comprehensive results.
Black box, white box and grey box pentests all have unique benefits. Some things to keep in mind to keep you determine which approach is best for you include: