White Box Testing
In this type of Pen test, also known as “Clear Box Testing”, the tester has full knowledge an access to both the source code and software architecture of the Web Application. Because of this, a White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. The other advantage of this is that a much more thorough Pen Test can be completed. But, this approach also has its set of disadvantages. First, since a tester has complete knowledge, it could take more time to decide on what to specifically focus on in terms of system and component testing and analysis. Second, in order to conduct this type of test, more sophisticated tools are required such as that of software code analyzers and debuggers.
Gray Box Testing
As the name implies, this type of test is a combination of both the Black Box and the White Box Test. In other words, the penetration tester only has a partial knowledge of the internal workings of the Web Applications. This is often restricted to just getting access to the software code and system architecture diagrams. With the Gray Box Test, both manual and automated testing processes can be utilized. Because of this approach, a pen tester can focus their main efforts focus on those areas of the Web Application which he or she knows the most about, and from there, and from there, exploit any weaknesses or vulnerabilities. With this particular method, there is a higher probability that more hard to find “security holes” will also be discovered as well.
Network Services
In the word of Pen Testing, this is viewed as the most common and most in demand test to conduct for a client. This type of test involves finding security weaknesses and vulnerabilities in the network infrastructure of a corporation. This test can be done locally at the place of business, or even be done remotely. It is highly recommended that both approaches be utilized, in order to glean the most information possible.
This type of test involves examining the following:
- Firewall configuration testing;
- Stateful analysis testing;
- Firewall bypass testing;
- IPS evasion;
- DNS attacks which include:
*Zone transfer testing;
*Any types or kinds of switching or routing issues;
*Any other required network testing.
Some of the most common software packages which are examined in this test include:
- Secure Shell (SSH);
- SQL Server;
- MySQL;
- Simple Mail Transfer Protocol (SMTP);
- File Transfer Protocol;
- Microsoft Outlook logon pages.
It is important to note that Network Service testing is not considered to be a deep kind of testing. This is left to the Web Application Test.
Conclusions
Our next blog will examine other kinds of Pen Testing services in more detail.