Black, white/clear and gray box testing describe different approaches to testing applications - each with specific advantages and disadvantages.
Black box testing refers to testing a system with no specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture. In essence, this approach most closely mimics how an attacker typically approaches your application. However, due to the lack of internal application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer.
White or clear box testing refers to testing a system will full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test. However, because of the sheer complexity of architectures and volume of source code, white box testing introduces challenges regarding how to best focus the test and analysis efforts. Also, specialized knowledge and tools are typically required to assist, such as debuggers and source code analyzers.
Gray box testing typically refers to testing a system with limited knowledge of the internals of a system. This knowledge is usually limited to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and tries to leverage the strengths of each.
In some situations a tester may prefer white box testing, but is restricted to gray box or black box testing due to a lack of access to more detailed information. Security testers should be flexible and able to plan a test approach for any of these scenarios given the time and access to resources available for a given application.
This was first published in December 2006