[WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?

Joe White joe at cyberlocksmith.com
Fri May 9 23:54:04 EDT 2008

Hi Susan,

My understanding of the term "Black Box" is that it assumes no prior
knowledge meaning that the target is black or without prior knowledge
when the assessment and/or pen test is started.  It is fair to say
that the term "Black Box" can be applied to any activity that
commences with no prior knowledge.  Of course the term "white box"
then implies some prior knowledge, etc.

Pen-testing (Penetration testing) is often used interchangeable with
the term "ethical hacking" but I believe they are effectively
synonymous and I also think that you can have a "Black Box" Pen-test
or ethical hacking engagement, just like you can have a "white box"
penetration test or ethical hacking engagement.  Again, "black box"
means no prior knowledge and "white box" implies that some prior
knowledge of the terget was offfered by the oragnization requestiung
the pen-test.

I suppose the analogy also extends to SDLC in the sense that if you
are supplied the entire source code (white box) or you are not (black

hope this helps,


On Fri, May 9, 2008 at 5:13 PM, Susan Smoter <spire20707 at verizon.net> wrote:
> I've been on this list for some time and I find it very helpful.  Now I'd
> like some help.  I have seen the terms PEN Testing and Black Box Testing
> used interchangably, but I think they are or can be different types of
> tests.  Seems that black box tools be used by developers to eliminate coding
> issues and to validate false positives from white box/static testing, while
> PEN testing would only attempt to "break and enter" without necessiary
> providing coders with info about fixing the identified vulnerabilities.  If
> I've got this correct, then I'd like to find a better set of terminologies
> to use to differentiate between security testing while in the SDLC phases
> and those done in preparation for application deployment.
> Thanks for some clarification – I'm working on establishing Application
> Vulnerability Management and am having difficulty getting everyone on the
> same page due to overlapping semantics.
> Susan

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list