Pen testing has several engagement models corporations could engage a 3rd party tester. Business requirements, compliance mandates, or even part of merge or acquisitions, organizations may consider leveraging ”several types of penetration test white box, black box testing or gray box testing engagements.” White box engagements are fully transparent to everyone in the pen testing.
White Box Testing
White box is one type of testing. The code review is one element of the overall white box engagement. Development code, alpha and beta release also are common areas of test during the engagement.
- White box tests include static and dynamic work streams.
- It’s the most time-consuming.
- White box teams know how systems work.
- White box teams will expose complex vulnerabilities, including encryption access, API calls, and data path replication.
- Testing during a white box project, the test could come to a stop after high-risk internal vulnerabilities have been discovered.
- Higher-risk systems are the first one that pen testers will focus on.
White box penetration testing provides a comprehensive assessment of both internal and external vulnerabilities, making it the best choice for calculation testing. Commonly, organizations will execute a white box pen prior to the alpha or beta release of their upcoming software package.
The close relationship between white-box pen testers and developers provides a high level of system knowledge but may affect tester’s behaviors, since they operate based on knowledge not available to hackers. White box engagements could span multiple months and possibly across many systems. Within the Agile model, white box pen testing could integrate into several sprints at one time.
Engagement Accuracy for Clients to Consider When Engaging a 3rd Party Pen Team
The purpose of transparent box testing is to identify and patch the vulnerabilities that an attacker would exploit. Not all pen testers have the needed in-house expertise to perform all three methods. Some pen teams have very strong black box testers. Many of these testers were legacy black-hat hackers known for their “underground” skills and autonomy. Gray box testers are ex-military or corporate cyber security experts that have working knowledge of business applications along with black hat skills. White hat 3rd party testers come from all forms of the hacking community along with a long history of working inside of corporations. Choosing the proper 3rd party pen testing team is critical to getting highly accurate testing results relevant to the organization’s engagement goals.
Penetration companies’ highly skilled security consultants should be experienced enough to customize every engagement by adjusting our focus to fit the client’s needs. No one client’s architecture or application fits into a predefined box and will require an adaptive testing method to develop a solution that works best for your organization. Conducting a background check on the 3rd party company along with validating their teams are employees or vetted contractors. Especially for a white box engagement, the 3rd party will have full access to every internal and external system. Organizations should verify the testers’ backgrounds, experience, and credentials.
White Box Penetration Testing Example
The more critical your system or software is, the more thorough your test should be. For example, when deploying a loan origination application, the organization may have several components deployed in a virtual private cloud within Google, AWS, Azure. The company could also leverage an API into Oracle’s cloud based database platform. Part of the white box testing scope will include validating the various methods in which the target audience will connect to the loan applications. Users today could connect via PC, Mac, mobile, or linked into another 3rd party mortgage hosting provider that leverages another company’s loan origination package.
Considering this example, here are some key areas that would be a focus for the pen testing completing a white box engagement for a loan origination company:
- Pen testing the Virtual private cloud instance.
- Pen test all internal access to the new platform.
- Pen tests all levels of access, including user, admin, and guess.
- Pen test the various API’s including the one connecting to Oracle Cloud application.
- Pen test the various endpoints prior to the connecting to the loan application to determine if any keyloggers, malware or viruses exist.
- Pen test the on-premise application components prior to allowing connecting to the cloud instance (internal API).
- Pen tests before, during and after the application tester run through a series of loan application processes. Critical to see if any of the loan processes could expose known or unknown security holes within the application platform. This is common with Microsoft .net and JAVA development. Security issues may not surface if they have completed a certain sequence of executable code.
- Pen test any 3rd party platforms including software asset tools, backup and archive software systems including ones that are deployed in the public cloud.
- Review all 3rd party’s SOC 2 compliance reports to verify that the proper controls are in place prior to allowing any connections.
- Pen test any system recently completed any form of remediation.
Interpreting the Outcome
The tester creates a report that communicates the results of the entire testing process. They should provide the report in a format that is easy to understand, give a detailed description of the testing activity, and summarize the outputs of the testing tasks. The final report should summarize all the initial goals, roadblock, and completed along any partially completed tasks. Clients need to understand the value of the report to ensure the content will be relevant and valuable to forwarding decisions that will need to be made in regard to their software or platform launch.
Which Approach is Right for Your Organization?
Black-box is the most realistic testing method, Gray box penetration testing is the most effective. However, White box tests are the most comprehensive, but require a large amount of data and knowledge to be made available to the consultant so they can increase the probability that all internal and external vulnerabilities be identified and mitigated. All three testing methods are defined by time, efficiency, and exposure the client is prepared to grant the consultant.