I think lots of people were pleasantly suprised at
the common concensus that white box testing is more
effective that black box testing when done well,
although generally takes longer and costs more. None
mor than me given the list has historically been
black box pen test focused.

A few people expressed concern about the terms black
box and white box etc.

It seems you could build up a matrix based on ;

with system knowldge vs without system knowledge
with user priviledges vs without user priviledges
with admin priviledges vs without admin priviledges
with access to source vs without access to source
with access to system os vs without access to system
os

Each combination would allow you to test for
different things. For instance with access to the
systems os you can look at runtime issues (some
commerical companies seem to be building runtime
analysis tools)

Does this seem like a better approach ? Any ideas to
improve ?

Also does anyone want to share a good basic
methodology for a security source code review ?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]