Penetration testing is a form of ethical security assessment which aims to help organizations identify, safely exploit, remove vulnerabilities and overall improve security across its IT infrastructure and information assets.
There are three primary approaches to conduct a penetration test.
Black-Box Testing
What is it?
In a “Black-Box” penetration testing activity, the actor simulates an attack using the same methods and techniques as a real adversary
would but with no prior knowledge of the target system(s). No source code, configuration or architecture information is given to the tester.
In a black-box penetration testing activity, the attacker needs to put in a lot of effort in the reconnaissance phase of the attack, which is critical to gather as much information as possible to proceed with any further penetration testing activities.
Advantages and Disadvantages
| Pros | Cons |
| Simulate a real world attack | No comprehensive review of the internal systems |
| Identify vulnerabilities which can be exploited | No source code review |
| Identify configuration issues | Difficult to automate |
| Employ social engineering techniques to discover security issues related to people | Difficult to calculate test coverage |
| Tests can be executed by outsourced third parties | Black-Box tests may be performed on non-production environments, which are potentially different than the production environments |
Grey-Box Testing
What is it?
During a “Grey-Box” penetration testing activity, the organization shares limited information about the target system(s) with the tester.
This information may be user login credentials or some knowledge of the network/system design, architecture documentation.
The amount of information disclosed to the tester is decided in the per-engagement phase between the security professional and the customer.
Grey-Box tests aim to understand what potential damage partial information access or privileged users could cause to a business.
Advantages and Disadvantages
| Pros | Cons |
| Focus on critical systems with highest risk from the beginning | May take longer to perform than black-box testing due to the larger amount of information to be analyzed compared to Black-Box testing |
| Knowledge of the target system may help the test design the test activities faster and more extensively | Limited to no access to source code. Critical vulnerabilities could be missed. |
| The tester may identify issues on applications from the user’s perspective which the developers have missed during unit testing | In-place protections (e.g. firewalls, IPSs) could limit the tester to not be able to thoroughly test all systems |
| Can simulate an insider threat | |
| Is faster and possibly cheaper that black-box testing depending on the agreed scope | |
White-Box Testing
What is it?
White-Box penetration testing is the type of penetration testing activity in which the tester has (mostly) full access to information such as source code, network and system architecture and foothold inside the infrastructure which is to be tested.
This method mimics a potential attack coming from inside the company, from an attacker who has already gained access to an internal system.
The penetration tester tries to exploit system level security and configuration weaknesses with a goal to go as deep as possible and gain the highest level of privileges and access to as many systems, applications and information as possible.
This way, the business can have a clearer view on how much damage an attack can cause to the organization.
Advantages and Disadvantages
| Pros | Cons |
| Tests are deep and thorough | Can be expensive in time and cost |
| Identify configuration issues throughout the infrastructure | Skilled testers are required with programming knowledge |
| Deep security analysis of source code can be performed | A vast amount of findings could result due to the complete disclosure of information. This may lead to internal teams to dedicate a lot of time for remediation to non-critical issues. |
| Faster communication with internal teams e.g. admins, developers and QA teams for the remediation of any findings | The findings on the final report are often not classified properly (high, medium, low) with a risk-based approach. |
| Need to transfer a lot of information to the tester prior to the test |
Which Approach Should You Choose?
Deciding which testing methodology to adopt depends on your goals you wish to achieve through this test.
Black-box is the most realistic testing method, but you may end up focusing on less important attack areas and overlook high-risk internal vulnerabilities.
Grey-box is often more effective, allowing you to increase the attack coverage and efficiency while at the same time simulate a real world attack.
White-box helps you focus directly to high-risk areas within your network, systems and applications but requires a lot of knowledge transfer to the penetration tester.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
