Most developers are familiar with black-box testing, but, how does that apply in the security world? What is ‘black-box security testing’? Read on to find out more.
Black-box security testing refers to a method of software security testing in which the security controls, defenses, and design of an application are tested from the outside-in, with little or no prior knowledge of the application’s internal workings. Essentially, black-box security testing takes an approach similar to that of a real attacker.
Since black-box security testing does not assume or have knowledge of the target being tested, it is a technology independent method of testing. This makes black-box security testing ideal for a variety of situations, particularly, when testing for vulnerabilities that arise from deployment issues and server misconfigurations.
In addition, black-box security testing offers the opportunity to cover a wide test coverage with a very low false-positives rate when compared to other testing methodologies.
An automated web application black-box security test would start by collecting information about the target. This is typically accomplished by crawling the web application for all links, taking a note of all inputs present on a page, as well as attempting to fingerprint specific technologies the web application is making use of.
The crawling stage is imperative to an automated black-box security test since this is where the black-box scanner will identify what inputs to test. A black-box security scanner will typically use a mixture of passive (typically, during the crawl) and active (typically, post-crawl) vulnerability testing techniques.
Alerts raised by a black-box security scan will then provide detailed information about vulnerabilities discovered, as well as remediation advice.
Beyond one-off black-box security tests and PDF reports, automated black-box security testing tools are commonly integrated with issue trackers such as Atlassian JIRA, GitHub and Microsoft TFS; as well as Continuous Integration (CI) platforms such as Jenkins.