Ask the Expert

Sorting out black box, white box and gray box software testing methods

I'm having trouble sorting out what is black box testing, what is clear box testing, white box testing and gray box testing.

    Requires Free Membership to View

Black, white/clear and gray box testing describe different approaches to testing applications - each with specific advantages and disadvantages.

Black box testing refers to testing a system with no specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture. In essence, this approach most closely mimics how an attacker typically approaches your application. However, due to the lack of internal application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer.

White or clear box testing refers to testing a system will full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test. However, because of the sheer complexity of architectures and volume of source code, white box testing introduces challenges regarding how to best focus the test and analysis efforts. Also, specialized knowledge and tools are typically required to assist, such as debuggers and source code analyzers.

Software security testing tools:
Black, gray and white box testing explained -- Podcast

Web application testing: The difference between black, gray and white box testing

Software security testing: Finding your inner evildoer

Gray box testing typically refers to testing a system with limited knowledge of the internals of a system. This knowledge is usually limited to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and tries to leverage the strengths of each.

In some situations a tester may prefer white box testing, but is restricted to gray box or black box testing due to a lack of access to more detailed information. Security testers should be flexible and able to plan a test approach for any of these scenarios given the time and access to resources available for a given application.

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: