white box testing is almost always better IMHO. Most pen tests on web aplications I have seen fall really short of the mark. Take for instance when some of my apps were tested by a big 4. They wrote down that persistent cookies were bad period and should never be used. If they had looked at the code they would have seen it just contains a first name greeting and language pref for when you first return to the site, xord for no real reason at all. Thats my point, black box testing is a lot of guessing and asuming. When you do source analysis, you can see exactly how everything works and what was done properly. Again no pen test firms I have seen have ever tried to reverse engineer my randon session tokens. When we had a code audit done a known problem was found immediatly.

White box testing IMHO is much more skilled, take longer but gives better more accurate results (side by side comparison). And cause the testers are more skilled, they generally get on better with the dev teams than a suited grad with a a scanner. Theres nothing wrong with scanners, just golden rule for me is "if they could do the thousand test by hand if time wasnt an issues, could they ?"

You can also find overflows much quicker, input filters etc......

On Mon, 14 Jan 2002 22:44:24 -0800 (PST), The Owasp Project <owaspowasp.org> wrote:
>As you know we are going to capture a topic a week
>and compile the best knowledge into some of the
>testing Framework sections at www.owasp.org. So this
>weeks topic is Black Box vs White Box testing.
>
>What is black box and white box testing; when is it
>appropriate to use one or the other; should you do
>both; what can you find with one that you can't find
>with another; is one more skilled; does one cost
>more to do; does one take longer; which one produces
>better results etc
>
>Please share your experience, points of view or
>thoughts and well capture it for the testing
>Framework project.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]