White Box Penetration Testing

As ethical (white hat) hackers, we emulate an attacker by utilizing similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment. With a White Box Penetration Test, we test a system with “administrator” or “root” level access and knowledge. This often includes access to architecture diagrams, design documents, specifications, and source code. A White Box Penetration Test is the most thorough and time consuming. A White Box Penetration Test is commonly used in the following scenarios:

• An organization is developing their own product
• An organization is developing their own software application
• An organization is integrating several products or applications

If you are developing your own product or application, accessible over a computer network (wired or wireless), you should have it thoroughly tested to ensure it is not “hackable”. White Box Penetration Testing is extremely important with devices that process, store, or transmit sensitive data and for devices involved with critical infrastructure, such as Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems. White Box Penetration Testing should also be a priority for devices used in healthcare or hospital environments where a compromised device could result in a violation of patient privacy, such as the release of Protected Health Information (PHI), or even become a threat to a patient, such as the compromise of drug infusion pump. If you are performing systems or product integration, White Box Penetration Testing is equally important, especially if you are responsible for the integration of components from multiple vendors. We have found numerous bugs and flaws in components that were designed and developed by a supplier for an integrated critical system.