The following is a transcript of Christian Espinosa’s explanation of White Box Penetration Testing. Christian sold Alpine Security to CISO Global in 2020 and recently founded Blue Goat Cyber.
Hello, this is Christian Espinosa with Alpine Security. In this video, we’ll cover white box penetration tests. This completes our series, the three video series on the different colored boxes of penetration test. We already did a video on both the black and gray box penetration test.
With a white box penetration test, we know the most about the target. Just a quick review, with a black box we know very little about the target other than maybe the target’s IP address or URL. With a gray box, we know a little bit more than a black box. We often have user level access to the target, such as a user level account on a web application, or maybe a active directory user level account. With white box, though, we know the most about the target.
So sometimes with white box we have root level or administrator level permissions. We also often have access to data flow diagrams, institute relationship diagrams, maybe even the source code, maybe even access to the developers that are actually producing the software or developing the software or the product.
So typically with a white box penetration test, this is most often used during development of software or a product. It’s much more beneficial to have somebody from a penetration testing team working with your developers during the development process, than waiting till your product is released and then hiring a penetration testing team to poke holes in it after it’s already been released. It costs a lot more money to fix it, and it’s much more difficult to fix after it’s been released. So that’s why white box is typically done as part of the development cycle for product or software.
It can also be done or performed during system integration. Let’s say you’re a systems integrator and you integrate different subsystems from different suppliers, and you integrate all that into your overall system. So you have to have some degree of trust that your suppliers are actually designing their components to your specifications, and that what you’re getting from them is secure.
So before you integrate that, or as you’re integrating that into your overall system, you should do some white box testing to make sure this component you get, for instance, only has the inputs you specified and the outputs you specified. There’s no extraneous data going through that component or originating from that component. So that would be an example of when we would do a white box penetration test for systems integration. Also, a white box penetration test typically includes a gray box and a black box because as we’re going through this process and we’re looking at what’s being developed, we often do test from both the aspect of unauthenticated and user level access, which is gray.
The threats we emulate for a white box; typically we’re trying to discover poor coding practices. So a white box penetration test, as I mentioned, is typically performed during software development. So this is the prime time to discover input validation problem or a balance checking problem. The perfect opportunity is during the development. As I mentioned earlier, if we wait to hire the penetration testing team until after development is done and they find out we have a problem such as a input validation or a buffer overflow attack that our software allows to happen because of a vulnerability, that is much more costly to fix than if we could have identified it upfront.
The other threat that the white box penetration test helps with is any issues in the supply chain. As we mentioned earlier, we often do white box penetration test to a systems integrator. So if one of your suppliers and the supply chain has a vulnerability that is introduced somewhere along the supply chain and that component mixed into your overall system, this is the perfect opportunity to test this before it’s released, again, out to your customers.
If you have any questions about white box penetration testing, you can leave them as a comment beneath this video. If you’re interested in a white box penetration test, you can contact us at www.bluegoatcyber.com. I hope you enjoyed this video and I’ll talk to you later on. Cheers!