Penetration testing is simply fun work. If you like a good mystery novel or a psychological thriller movie, you’ll love penetration testing because you never know what’s around the next corner. Being allowed to try to find the holes in applications and infrastructure is like being a kid in a candy shop. You sit starry eyed looking at all the options wondering where to begin.
One question I routinely get is which type of testing is better, white box or black box. Being the black and white kind of guy I am, that’s easy. Neither is better. Both methods have a specific purpose. If you are considering hiring someone to do testing you probably actually want both and here’s why.
Black box testing is designed to determine the strength of your systems and their ability to withstand attack from external sources with limited knowledge of your architecture. This is very useful when trying to assess risk of attack from the outside. I’d love to say in today’s world most organizations are safe here and black box testing won’t yield much information. In reality, companies are often vulnerable to attacks from any and everyone who simply passes by on the digital highway. Sad…but true.
On the other hand, white box testing assumes that an attacker has some level of knowledge of a given system. It could be a userid, known software versions, offsite backup tape locations, network diagrams, etc. White box testing is ideal for those who need to know how much damage could occur if certain information is known to an attacker.
So trying to say one is better than the other is like trying to say a truck is better than a car. Truth is they both give you basic transportation needs but have different intended purposes. One is more suited to transport cargo and the other people. You have to know your objectives when picking a vehicle to use. When determining which type of testing to use the first step is to identify your objectives for the test. Once you know what you want to accomplish with the testing you should have no problem picking a method. You may even decide to do both.