RE: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black Box Testing?

["Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>]

------_=_NextPart_001_01C8B246.F539C85E
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Susan,
=20
Black box testing is a type of pen testing. "Pen testing" is short for =
"penetration testing", which denotes any kind of testing whereby the =
analysts are actually attacking a website, rather than simply reviewing =
code, looking at architecture diagrams or performing threat modeling.
=20
Black box penetration testing is an attack simulation where the analysts =
attack the application without knowing the inner workings of the system =
they are attacking. There is always something of a debate over whether =
or not it is more effective than "white box" testing, the opposite type =
of live attack simulation where the analysts have access to all the =
details of the system during the penetration test, such as the source =
code, configuration files, etc.=20
=20
The arguments in the security world usually go something like this:

*=09
	Blackbox is better because you don't give your source code to scary =
consultants and it's more realistic
*=09
	Whitebox is better because it's cheaper and you find more

Hope that helps clear things up. I'll let someone who's more passionate =
about SDLC speak to your question about what is best to do where.
=20
Cheers,
Arshan

________________________________

From: Susan Smoter [mailto:spire20707@verizon.net]
Sent: Fri 5/9/2008 8:13 PM
To: websecurity@webappsec.org
Cc: spire@jhu.edu
Subject: [WEB SECURITY] FW: What's the Difference; PEN Testing and Black =
Box Testing?



I've been on this list for some time and I find it very helpful.  Now =
I'd like some help.  I have seen the terms PEN Testing and Black Box =
Testing used interchangably, but I think they are or can be different =
types of tests.  Seems that black box tools be used by developers to =
eliminate coding issues and to validate false positives from white =
box/static testing, while PEN testing would only attempt to "break and =
enter" without necessiary providing coders with info about fixing the =
identified vulnerabilities.  If I've got this correct, then I'd like to =
find a better set of terminologies to use to differentiate between =
security testing while in the SDLC phases and those done in preparation =
for application deployment.

=20

Thanks for some clarification - I'm working on establishing Application =
Vulnerability Management and am having difficulty getting everyone on =
the same page due to overlapping semantics.

=20

Susan


------_=_NextPart_001_01C8B246.F539C85E
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR>=0A=
<STYLE>=0A=
<!--=0A=
 =0A=
 p.MsoNormal, li.MsoNormal, div.MsoNormal=0A=
	{margin:0in;=0A=
	margin-bottom:.0001pt;=0A=
	font-size:12.0pt;=0A=
	font-family:"Times New Roman";}=0A=
a:link, span.MsoHyperlink=0A=
	{color:blue;=0A=
	text-decoration:underline;}=0A=
a:visited, span.MsoHyperlinkFollowed=0A=
	{color:blue;=0A=
	text-decoration:underline;}=0A=
span.EmailStyle17=0A=
	{=0A=
	font-family:Arial;=0A=
	color:navy;}=0A=
=0A=
div.Section1=0A=
	{page:Section1;}=0A=
-->=0A=
</STYLE>=0A=
</HEAD>=0A=
<BODY vLink=3Dblue link=3Dblue>=0A=
<DIV id=3DidOWAReplyText32242 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2>Susan,</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Black box testing is a type =
of pen testing. "Pen testing" is short for "penetration testing", which =
denotes any kind of testing whereby the analysts are actually attacking =
a website, rather than simply reviewing code, looking at architecture =
diagrams or performing threat modeling.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Black box penetration testing =
is an attack simulation where the analysts attack the application =
without knowing the inner workings of the system they are attacking. =
There is always something of a debate over whether or not it is more =
effective than "white box" testing, the opposite type of live attack =
simulation where the analysts have access to all the details of the =
system during the penetration test, such as the source code, =
configuration files, etc. </FONT></DIV>=0A=
<DIV dir=3Dltr>&nbsp;</DIV>=0A=
<DIV dir=3Dltr>The arguments in the security world usually go something =
like this:</DIV>=0A=
<UL dir=3Dltr>=0A=
<LI>=0A=
<DIV>Blackbox is better because you don't give your source code to scary =
consultants and it's more realistic</DIV></LI>=0A=
<LI>=0A=
<DIV>Whitebox is better because it's cheaper and you find =
more</DIV></LI></UL>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Hope that helps clear things =
up. I'll let someone who's more passionate about SDLC speak to your =
question about what is best to do where.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Cheers,</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial =
size=3D2>Arshan</FONT></DIV></FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Susan Smoter =
[mailto:spire20707@verizon.net]<BR><B>Sent:</B> Fri 5/9/2008 8:13 =
PM<BR><B>To:</B> websecurity@webappsec.org<BR><B>Cc:</B> =
spire@jhu.edu<BR><B>Subject:</B> [WEB SECURITY] FW: What's the =
Difference; PEN Testing and Black Box Testing?<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<DIV class=3DSection1>=0A=
<DIV>=0A=
<P class=3DMsoNormal><FONT face=3DArial color=3Dblue size=3D2><SPAN =
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I&#8217;ve =
been on this list for some time and I find it very helpful.&nbsp; Now =
I&#8217;d like some help.&nbsp; I have seen the terms PEN Testing and =
Black Box Testing used interchangably, but I think they are or can be =
different types of tests.&nbsp; Seems that black box tools be used by =
developers to eliminate coding issues and to validate false positives =
from white box/static testing, while PEN testing would only attempt to =
"break and enter" without necessiary providing coders with info about =
fixing the identified vulnerabilities.&nbsp; If I've got this correct, =
then I'd like to find a better set of terminologies to use to =
differentiate between security testing while in the SDLC phases and =
those done in preparation for application deployment.</SPAN></FONT></P>=0A=
<P class=3DMsoNormal><FONT face=3DArial color=3Dblue size=3D2><SPAN =
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>=0A=
<P class=3DMsoNormal><FONT face=3DArial color=3Dblue size=3D2><SPAN =
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Thanks for =
some clarification &#8211; I&#8217;m working on establishing Application =
Vulnerability Management and am having difficulty getting everyone on =
the same page due to overlapping semantics.</SPAN></FONT></P>=0A=
<P class=3DMsoNormal><FONT face=3DArial color=3Dblue size=3D2><SPAN =
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P>=0A=
<P class=3DMsoNormal><FONT face=3DArial color=3Dblue size=3D2><SPAN =
style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: =
Arial">Susan</SPAN></FONT></P></DIV></DIV></DIV></BODY><!--[object_id=3D#=
aspectsecurity.com#]--></HTML>
------_=_NextPart_001_01C8B246.F539C85E--