White Box Penetration Testing:
White box penetration testing involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement.
A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.
The process is the opposite method of black-box penetration testing. The testers are also provided with complete access to architecture documents of web application, its source code and more. This testing practice helps the testers to perform static code analysis by improving the familiarity with the source code, debuggers, and the usage of tools. This method is a comprehensive assessment method of testing to identify external and internal vulnerabilities.
Black Box Penetration Testing:
In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation.
This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organisation. However, this typically makes it the costliest option too.
In this type of penetration testing, the pentester plays a similar role as a hacker, with no knowledge upon the targeting system. This method helps to sort out the vulnerabilities that can be exploited from the outside network. To perform the black box pen testing, the pentester should be familiar with the methods of manual penetration testing and automated scanning tools.
Grey Box Penetration Testing:
In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. In addition to this, the testers will be provided with partial knowledge or access to the web application and internal network.
Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.
NOTE:
In most real-world attacks, a persistent adversary will need to conduct a detailed reconnaissance on the target environment, giving them similar knowledge to an insider. That is the reason that grey box testing is often favoured by customers as the best balance between efficiency and authenticity, stripping out potentially time-consuming reconnaissance.
It is recommended that your organisation should commission security testing at least once per year. If you make some significant changes to your IT infrastructure, or you are about to launch a new web product/service, or your organisation has recently merged with another or acquired the another, then you must conduct some additional assessments.
If your organisation has vast IT estates, or you process large volumes of personal and financial data or have strict compliance requirements to adhere to, then you should consider conducting pentests even more frequently.
-
Kindly leave me your comments.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM