Understanding Black Box, White Box and Gray Box Vulnerability Assessment and Penetration Testing (VAPT)
Published on : Sunday 19-07-2020
Vulnerability comes from the Latin word for "wound," vulnus. Vulnerability is the state of being open to injury, or appearing as if you are.
In short, Vulnerability is the quality of being easily hurt or attacked.
In today's IT field, your software applications or infrastructure as system should be very secured avoiding any vulnerabilities.
A vulnerability in that case can be defined in two ways:
- A bug in code or a flaw in software design that can be exploited to cause harm. Exploitation may occur via an authenticated or unauthenticated attacker.
- A gap in security procedures or a weakness in internal controls that when exploited results in a security breach.
What is Vulnerability Assessment (VA)?
A vulnerability assessment is the testing process used to identify and assign severity levels to as many security defects as possible in a planned time-frame. This process may involve automated and manual techniques with varying degrees of rigor and an emphasis on comprehensive coverage. Using a risk-based approach, vulnerability assessments may target different layers of technology, the most common being infrastructure (host or network) and application-layer assessments.
Conducting vulnerability assessments help organizations identify vulnerabilities in their software and supporting infrastructure before a compromise can take place.
What is Penetration Testing (PT)?
A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test (pen test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.
Important Benefits of Vulnerability Assessment & Penetration Testing (VAPT)
In short, Vulnerability Assessment & Penetration Testing is called as “VAPT”.
There are many benefits of VAPT which will even differ for different business domains. To summarize, I am sharing below four important benefits of VAPT.
1. Preventing Information Loss
Can you imagine your crucial business data is hacked and its with your competitor or any unwanted hands? Sensitive information of your business if more important, and it should be highly secured. Defense in depth is crucial for any system to be cyber protected.
2. Preventing Financial Loss
Similar to information loss there is direct chances of fraud (hackers, extortionists and disgruntled employees) or loss in revenue due to unreliable business systems and processes.
3. Protects Your Brand in Market
Providing due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. Protecting your brand by avoiding loss of consumer confidence and business reputation.
4. Essential part of Compliance Standards or Certifications for any Organization
Vulnerability testing helps shape information security strategy through identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
VAPT are largely mandated across various industries and sectors. There are a wide-range of compliance standards that require such audits to be carried out periodically. Some of the well-known standards are:
- ISO 27002 / ISO 27001
- PCI DSS – Payment Card Industry Data Security Standard
- SOX – Sarbans-Oxley Act
- HIPAA – Health Insurance Portability and Accountability Act
- TRAI – Telecom Regulatory Authority of India
- DOT – Department of Telecommunication
- CERT-In – Cyber Emergency Response Team of India
- GLBA – The Gramm–Leach–Bliley Act
- FISMA – The Federal Information Security Management Act
- NIST – National Institute of Standards and Technology
- SAS 70 – Statement on Auditing Standards
- COBIT – Control Objectives for Information and Related Technology
If your organization has plan to go for such standards in future, its good idea that they will adopt VAPT in security processes from now.
What are 3 Types of Vulnerability Assessment & Penetration Testing (VAPT)?
VAPT is divided into three key types further, as explained below.
Black Box Testing
In this type of testing, security tester has no knowledge of system. Here system means any web application, website, mobile app or any network devices. For example, an organization has developed a new website; that website url is shared with security testing team without any credentials of login user credentials, any source code etc. It is black box testing.
This can be performed in small time plan and it is simple than other security testing types. This we can treat as benefits. It is not a wholistic security testing coverage as many important test cases are missed. For example, it will not consider cryptography, bad code related issues.
Gray Box Testing
This is most popular security testing, as in this case partial knowledge of system is provided to security testing team. For example, an organization has developed a new website and security testing team is provided with url of that website along with test user credentials. Indirectly, it covers black box testing and additional test cases as more test coverage.
Gray box testing covers maximum security test cases. For example, it covers session or authentication related test cases. It is more beneficial than black box testing, but it is not having access to source code – hence we cannot consider it as full coverage testing. It requires bit more time to perform as compared with black box testing.
White Box Testing
It is more detailed security testing where an organization provide full knowledge of system along with source code, documentation etc. For example, an organization has developed a new website and security testing team gets access to entire source code and related all information for security testing. It gives full coverage; more than black box and gray box testing.
White box testing fills all the blind spots in security testing, which are skipped in gray box or black box too. For example, it can cover issues like hardcoded account numbers or email ids used for transactions logics. It is very helpful to even do review the quality outcome by source code development vendor or team. Only demerit of this type of testing is it can be lengthy as compared to other types.
Every organization must perform VAPT on their key assets. They can choose which type of testing fits to them.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.