18th Nov 21 1:45 pm

Why Grey Box Pentests Are Most Effective

November 18, 2021 | By: Alex Hewko

Why Grey Box Pentests Are Most Effective

Black box, white box, and grey box. Besides being colours (or lack thereof), what differentiates them when it comes to penetration testing?

Black Box Penetration Testing

Black box testing is like walking into a lightless cave, prepared to fight with whatever you feel in front of you. It lacks the ability to prepare well, and encourages a more reactive approach as you come across new touch points within the system. 

Hackers who have a lot of time (especially bad actors) will be more likely to do this type of testing. Besides having more time, a bad actor also usually has limited knowledge of the system that they’re attacking. 

In some cases, companies looking for a penetration test will request a black box test as a “more accurate representation of what a hacker might do.” Is this true that a black box pentest could provide the same results? Not exactly. Running a penetration test black-box style does identify how a bad actor may be able to access the hidden system. Though, penetration testing is done on a limited timeframe. Meaning, a pentester will spend most of that precious testing time getting through surface-level defences like a WAF, and spend less time actually testing security on the application level. In the case of a bad actor who has a ton of time, they could continue to rummage through the application even after breaking through other protections. So, in some ways pure black box testing can be beneficial, but it’s not recommended.

White Box Penetration Testing

In complete contrast to black box testing, white box testing is when the tester has full access to source code. In this option, the pentester can easily review the code to identify vulnerabilities. This is a helpful option for achieving a deep, truly comprehensive penetration test. Though, many companies can be hesitant to offer up their source code for review, especially if they are working with a penetration testing vendor for the first time.

The Compromise: Grey Box Testing

What’s the middle between black box and white box testing? Grey box testing. 

Grey box testing is when you have a better understanding of the system, and you may or may not have some source code. This approach is most effective for web application testing. Usually, additional protective measures like a WAF are disabled in grey box testing, so it’s easier for the penetration tester to get deeper into the system. 

While most penetration tests are done in a black box, the most effective penetration tests are grey box.

Why Most Pentests Are Grey Box

Finds more vulnerabilities within the testing time. 

In red teaming, the goal is to break into the application and find just one vulnerability to confirm that the application is penetrable. This is an ideal black box approach. 

However, the point of a penetration test is to identify as many vulnerabilities as possible. When things like WAFs or other defenses are disabled, the penetration tester can spend more time within the application-level itself. With more time in the application layer, the penetration tester is likely to find a lot more vulnerabilities and therefore, offer more recommendations for a more robust, secure application. And with more results, you get more bang for your buck.

Still offers some level of privacy

Some companies opt away from white box testing as they’re not yet comfortable handing over their open source code. Grey box testing is the compromise situation where a penetration tester can ask as many questions as needed about the application to help find deeper vulnerabilities, without needing the open source code. However, grey box testing can mean that companies provide bits of code where comfortable or required for a more effective test. 

Clear goals can be defined.

Similar to the point above, the control remains in the company’s hands. They can determine how much information to provide to the penetration testers.

As our relationship and trust grows over time, companies can share more open source code to help us continue diving deeper and building a better understanding of the application(s). Again, this ensures a better penetration test and more comprehensive results.

What Type of Test is Best For You?

Black box, white box and grey box pentests all have unique benefits. Some things to keep in mind to keep you determine which approach is best for you include:

  • Your testing timelines
  • Your security or compliance requirements
  • Depth of results required
  • Type of application testing & complexity
  • Additional protective measures built on your application
  • Trust with pentesting vendor

Was this article helpful?

We help DevOps teams at SaaS companies to build confidence in their application security.
Discover PTaaS

Was this article helpful?

Share This Post

Leave a Reply

Your email address will not be published.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Post
1 November 2021 | By: Warren Moynihan
15 Risks & Rewards of Pentesting in a Production Environment
7 July 2021 | By: Jeremy Buis
Exploiting Less.js to Achieve RCE
24 June 2021 | By: Alex Hewko
The 6- Step Guide to Reviewing Your PenTesting Results