Commercial enterprises know that the best way to maintain market leadership is to attack yourself. It’s the same in IT security if you want to maximize your resistance against hackers. A niche industry has grown up around penetration testing – or ‘pentesting’ for short. Providers in this sector offer their services for applying automated or manual tests to see if they can ethically hack your computer systems and network. Business self-preservation is a strong motivation for pentesting. Such tests may also be necessary parts of a certification process for being allowed to handle confidential customer or financial data, for example. Some practitioners divide test operations into white-box and black-box testing. But is it really that clear cut?
If you haven’t yet met the white-box and black-box approaches, here’s a quick primer. Not to be confused with white-hat and black-hat search engine marketing methods (a very different kettle of fish), the difference lies in how much information is made available about the target to be tested. If you know which systems are installed, with which operating systems, applications, versions, etc., you can look for specific weaknesses. This is the white box approach. If you have no information about the target, then you will have to use your imagination to coax out indications of where you might successfully attack: the black-box method.
Both approaches have their pros and cons. White-box testing lets you identify specific vulnerabilities that can then be repaired if necessary, because you know what they are and where they are. On the other hand, you might miss out of the way weaknesses that a more creative hacker would find. Conversely, the black-box approach forces you to think like a hacker and helps to build a global appreciation of the strength of your IT security. But while you may be able to cause malfunctions or siphon off data, you may not always know which parts of the system are at fault. The answer, as in software and system testing in general, is to use your judgment in applying a mix of both, with the appropriate level of greyness for your particular set-up.