[WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri May 9 22:38:41 EDT 2008

Black box testing is a type of pen testing. "Pen testing" is short for "penetration testing", which denotes any kind of testing whereby the analysts are actually attacking a website, rather than simply reviewing code, looking at architecture diagrams or performing threat modeling.
Black box penetration testing is an attack simulation where the analysts attack the application without knowing the inner workings of the system they are attacking. There is always something of a debate over whether or not it is more effective than "white box" testing, the opposite type of live attack simulation where the analysts have access to all the details of the system during the penetration test, such as the source code, configuration files, etc. 
The arguments in the security world usually go something like this:

	Blackbox is better because you don't give your source code to scary consultants and it's more realistic
	Whitebox is better because it's cheaper and you find more

Hope that helps clear things up. I'll let someone who's more passionate about SDLC speak to your question about what is best to do where.


From: Susan Smoter [mailto:spire20707 at verizon.net]
Sent: Fri 5/9/2008 8:13 PM
To: websecurity at webappsec.org
Cc: spire at jhu.edu
Subject: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?

I've been on this list for some time and I find it very helpful.  Now I'd like some help.  I have seen the terms PEN Testing and Black Box Testing used interchangably, but I think they are or can be different types of tests.  Seems that black box tools be used by developers to eliminate coding issues and to validate false positives from white box/static testing, while PEN testing would only attempt to "break and enter" without necessiary providing coders with info about fixing the identified vulnerabilities.  If I've got this correct, then I'd like to find a better set of terminologies to use to differentiate between security testing while in the SDLC phases and those done in preparation for application deployment.


Thanks for some clarification - I'm working on establishing Application Vulnerability Management and am having difficulty getting everyone on the same page due to overlapping semantics.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080509/7ecd22c2/attachment.html>

More information about the websecurity mailing list