The greyscale is often utilized to describe the approach for a penetration test. The terms are sometimes even used interchangeably. Sometimes grey-box for one person is not same grey-box as for somebody else. Let’s take a detailed look at the different approaches that are commonly utilized.
During the initial planning of a penetration test a lot of questions can arise. Some frequently asked questions include:
These are related to the testing approach. Let’s try to better understand the different approaches in the subsequent paragraphs.
With a black-box approach the attacker does not have any information about the target. The system under testing is essentially a black-box. The inner workings are unknown and not disclosed. Only publicly available documentation might be utilized. Furthermore, no user accounts are provided by the vendor. This approach mostly reflects real world attack approach.
There exists one obvious shortcoming for this approach. A lot of time might be necessary to familiarize oneself with the system under testing. Ideally, the penetration tester should be very familiar with the underlying technology. Otherwise, an unexperienced attacker might require more time to gain a suitable level of knowledge about the potential attack vectors. Even with expert knowledge an attacker needs to devote some time to familiarize himself with the system under testing. For commercial penetration tests time is directly proportional to costs.
Another shortcoming for this approach is the potential lack of coverage. For a thorough test the penetration tester needs an overview of the functionality. Additionally, access to user accounts might also be necessary to achieve good coverage.
From a threat perspective this approach refers to an outside attacker.
This approach sits in between black-box and white box testing. It utilizes additional information right at the start of the penetration test.
Opposed to the black-box approach the goal is to improve the shortcomings listed above. Firstly, the learning period can be reduced by providing documentation. Consequently, the efficiency of the overall test will improve. Furthermore, by providing access to user accounts the coverage can be increased. With this additional information the test can be more focussed on the operations and functions that would normally be out of view of the penetration tester. Commonly, multiple users per role are requested.
From a threat perspective this approach refers to a malicious user.
The white-box testing approach focuses on coverage. For penetration testing a white-box approach means providing full knowledge about the system under testing. This is typically achieved with access to the source code. Consequently, for security testing this might include Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST), Furthermore, documentation as well as user accounts with different privileges are included.
From a threat perspective this approach refers to an insider threat.
Obviously, there is no single right approach. All approaches on the greyscale have a justification. The answer should be based on the threat model and the type of attacker one is expecting.
For newly developed applications a brief black-box penetration test might be a good start. Based on this initial test a follow-up with a grey-box test could be executed. This would provide a good coverage for most web applications. Also, the initial phase would provide insights about the general application security. The seconds phase would focus on achieving a thorough coverage of the system under testing.
For systems with an solid level of security a white-box approach would provide additional security. Ideally, such an approach prioritizes critical functionality to for a trade-off between coverage and cost.
In conclusion, the purpose of a penetration test is to make a system more secure. This can be accomplished by identifying the approach that fits an organization’s threat profile.
The goal of a black-box penetration test is to simulate an external attack. The grey-box approach provides a broader coverage, which is based on the available knowledge at the start. With access to the internal workings and source code a white-box approach would provide deeper coverage. Nowadays, the differentiation is less important.