[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?

From: "Susan Smoter" <spire20707@xxxxxxxxxxx>
Subject: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
Date: Fri, 09 May 2008 20:13:07 -0400

------=_NextPart_000_0098_01C8B211.19173A80
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

I've been on this list for some time and I find it very helpful.  Now I'd
like some help.  I have seen the terms PEN Testing and Black Box Testing
used interchangably, but I think they are or can be different types of
tests.  Seems that black box tools be used by developers to eliminate coding
issues and to validate false positives from white box/static testing, while
PEN testing would only attempt to "break and enter" without necessiary
providing coders with info about fixing the identified vulnerabilities.  If
I've got this correct, then I'd like to find a better set of terminologies
to use to differentiate between security testing while in the SDLC phases
and those done in preparation for application deployment.

 

Thanks for some clarification - I'm working on establishing Application
Vulnerability Management and am having difficulty getting everyone on the
same page due to overlapping semantics.

 

Susan


------=_NextPart_000_0098_01C8B211.19173A80
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1029" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>I&#8217;ve been on this list for =
some time
and I find it very helpful.&nbsp; Now I&#8217;d like some help.&nbsp; I =
have
seen the terms PEN Testing and Black Box Testing used interchangably, =
but I think
they are or can be different types of tests.&nbsp; Seems that black box =
tools
be used by developers to eliminate coding issues and to validate false
positives from white box/static testing, while PEN testing would only =
attempt
to &quot;break and enter&quot; without necessiary providing coders with =
info
about fixing the identified vulnerabilities.&nbsp; If I've got this =
correct,
then I'd like to find a better set of terminologies to use to =
differentiate
between security testing while in the SDLC phases and those done in =
preparation
for application deployment.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Thanks for some clarification =
&#8211; I&#8217;m
working on establishing Application Vulnerability Management and am =
having
difficulty getting everyone on the same page due to overlapping =
semantics.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Susan<o:p></o:p></span></font></p>

</div>

</div>

</body>

</html>

------=_NextPart_000_0098_01C8B211.19173A80--

Follow-Ups:
- RE: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
  - From: Arshan Dabirsiaghi
- Re: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
  - From: Joe White
- Re: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
  - From: Chris Weber (Casaba Security)
- Re: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
  - From: Arian J. Evans

Prev by Date: Re: [WEB SECURITY] webapp security curse
Next by Date: RE: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
Previous by thread: [WEB SECURITY] Re: Odd XSS Exploit
Next by thread: RE: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site