Q

Sorting out black box, white box and gray box software testing methods

Black box, white box and gray box software testing methods may seem confusing. Expert Brad Arkin describes how these software testing methods work.

I'm having trouble sorting out what is black box testing, what is clear box testing, white box testing and gray box testing.

Black, white/clear and gray box testing describe different approaches to testing applications - each with specific advantages and disadvantages.

Black box testing refers to testing a system with no specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture. In essence, this approach most closely mimics how an attacker typically approaches your application. However, due to the lack of internal application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer.

White or clear box testing refers to testing a system will full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test. However, because of the sheer complexity of architectures and volume of source code, white box testing introduces challenges regarding how to best focus the test and analysis efforts. Also, specialized knowledge and tools are typically required to assist, such as debuggers and source code analyzers.

Gray box testing typically refers to testing a system with limited knowledge of the internals of a system. This knowledge is usually limited to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and tries to leverage the strengths of each.

In some situations a tester may prefer white box testing, but is restricted to gray box or black box testing due to a lack of access to more detailed information. Security testers should be flexible and able to plan a test approach for any of these scenarios given the time and access to resources available for a given application.

This was first published in December 2006

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close