Nov 18, 21 1:45 pm

Was this post helpful?

Why Grey Box Pentests Are Most Effective

Nov 18, 2021
| by:
Alex Hewko

Why Grey Box Pentests Are Most Effective

Black box, white box, and grey box. Besides being colours (or lack thereof), what differentiates them when it comes to penetration testing?

Black Box Penetration Testing

Black box testing is like walking into a lightless cave, prepared to fight with whatever you feel in front of you. It lacks the ability to prepare well, and encourages a more reactive approach as you come across new touch points within the system.

Hackers who have a lot of time (especially bad actors) will be more likely to do this type of testing. Besides having more time, a bad actor also usually has limited knowledge of the system that they’re attacking.

In some cases, companies looking for a penetration test will request a black box test as a “more accurate representation of what a hacker might do.” Is this true that a black box pentest could provide the same results? Not exactly. Running a penetration test black-box style does identify how a bad actor may be able to access the hidden system. Though, penetration testing is done on a limited timeframe. Meaning, a pentester will spend most of that precious testing time getting through surface-level defences like a WAF, and spend less time actually testing security on the application level. In the case of a bad actor who has a ton of time, they could continue to rummage through the application even after breaking through other protections. So, in some ways pure black box testing can be beneficial, but it’s not recommended.

White Box Penetration Testing

In complete contrast to black box testing, white box testing is when the tester has full access to source code. In this option, the pentester can easily review the code to identify vulnerabilities. This is a helpful option for achieving a deep, truly comprehensive penetration test. Though, many companies can be hesitant to offer up their source code for review, especially if they are working with a penetration testing vendor for the first time.

The Compromise: Grey Box Testing

What’s the middle between black box and white box testing? Grey box testing.

Grey box testing is when you have a better understanding of the system, and you may or may not have some source code. This approach is most effective for web application testing. Usually, additional protective measures like a WAF are disabled in grey box testing, so it’s easier for the penetration tester to get deeper into the system.

While most penetration tests are done in a black box, the most effective penetration tests are grey box.

Difference between white black grey pentests

Why Most Pentests Are Grey Box

Finds more vulnerabilities within the testing time.

In red teaming, the goal is to break into the application and find just one vulnerability to confirm that the application is penetrable. This is an ideal black box approach.

However, the point of a penetration test is to identify as many vulnerabilities as possible. When things like WAFs or other defenses are disabled, the penetration tester can spend more time within the application-level itself. With more time in the application layer, the penetration tester is likely to find a lot more vulnerabilities and therefore, offer more recommendations for a more robust, secure application. And with more results, you get more bang for your buck.

Still offers some level of privacy.

Some companies opt away from white box testing as they’re not yet comfortable handing over their open source code. Grey box testing is the compromise situation where a penetration tester can ask as many questions as needed about the application to help find deeper vulnerabilities, without needing the open source code. However, grey box testing can mean that companies provide bits of code where comfortable or required for a more effective test.

Clear goals can be defined.

Similar to the point above, the control remains in the company’s hands. They can determine how much information to provide to the penetration testers.

As our relationship and trust grows over time, companies can share more open source code to help us continue diving deeper and building a better understanding of the application(s). Again, this ensures a better penetration test and more comprehensive results.

What Type of Test is Best For You?

Black box, white box and grey box pentests all have unique benefits. Some things to keep in mind to keep you determine which approach is best for you include:

  • Your testing timelines
  • Your security or compliance requirements
  • Depth of results required
  • Type of application testing & complexity
  • Additional protective measures built on your application
  • Trust with pentesting vendor

Was this post helpful?

About the Author

Alex Hewko
Alex is the Marketing Manager here at Software Secured. She enjoys writing to learn about cybersecurity, leadership, and technology in sales & marketing processes. She shares her insights from a background in international marketing and information technology. From launching global marketing campaigns in the tech and CE industry, to completing a Master's research project on humanizing remote B2B selling processes, Alex is passionate about storytelling and educating audiences on topics that haven't yet been talked about.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Aug 9, 2023 by Cate Callegari

Worried Penetration Testing Will Derail Your Sprint Cycle?

Read more

Was this post helpful?

Aug 2, 2023 by Omkar Hiremath

Burp versus Zap

Read more

Was this post helpful?

Jul 13, 2023 by Shimon Brathwaite

Mastering SLAs: 4 Ways to Meet Your Deadlines

Read more

Was this post helpful?


301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured