Comments on: White Box Better Than Black Box http://www.veracode.com/blog/2009/10/white-box-better-than-black-box/ Application security testing, analysis, and metrics Thu, 09 Feb 2012 11:59:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Juan Gama http://www.veracode.com/blog/2009/10/white-box-better-than-black-box/comment-page-1/#comment-3139 Juan Gama Mon, 16 Nov 2009 19:12:16 +0000 http://www.veracode.com/blog/?p=964#comment-3139 You are right about the coverage, WhiteBox has a better results over BlackBox, but the problem that I've been seeing is the cost, maybe is better to have a WhiteBox test but it is also more expensive, maybe this is the main retractor when companies do not want a internal security team and instead of it they go to external companies to perform a security test. Besides BlackBox tests are way cooler than WhiteBox tests :P You are right about the coverage, WhiteBox has a better results over BlackBox, but the problem that I’ve been seeing is the cost, maybe is better to have a WhiteBox test but it is also more expensive, maybe this is the main retractor when companies do not want a internal security team and instead of it they go to external companies to perform a security test.

Besides BlackBox tests are way cooler than WhiteBox tests :P

]]> By: M-unition » Blog Archive » WASC Web Application Security Statistics Published http://www.veracode.com/blog/2009/10/white-box-better-than-black-box/comment-page-1/#comment-3118 M-unition » Blog Archive » WASC Web Application Security Statistics Published Mon, 02 Nov 2009 14:31:04 +0000 http://www.veracode.com/blog/?p=964#comment-3118 [...] to Veracode’s Blog for pointing me to the Web Application Security Consortium (WASC) Web Application Security [...] [...] to Veracode’s Blog for pointing me to the Web Application Security Consortium (WASC) Web Application Security [...]

]]> By: 気になった記事(20091023) [ほほほのほ] http://www.veracode.com/blog/2009/10/white-box-better-than-black-box/comment-page-1/#comment-3109 気になった記事(20091023) [ほほほのほ] Fri, 23 Oct 2009 03:58:24 +0000 http://www.veracode.com/blog/?p=964#comment-3109 [...] White box better than black box [...] [...] White box better than black box [...]

]]> By: Dave Hull http://www.veracode.com/blog/2009/10/white-box-better-than-black-box/comment-page-1/#comment-3104 Dave Hull Wed, 21 Oct 2009 17:28:25 +0000 http://www.veracode.com/blog/?p=964#comment-3104 I read through the WASS data yesterday and found it matched nicely with my experience. I've been working in app sec for a few years now, using the full gamut of threat modeling, static code analysis and manual testing. I see white box testing progressing along Stu Feldman's maturity model: 1. You have a good idea. 2. You can make it work. 3. You convince a gullible friend to try it. 4. People stop asking why you're doing it. 5. People start asking others why they aren't doing it. In the not too distant future, the companies that aren't doing white box testing will be the outliers. Black box testing has too many unknowns and they are mostly unknown unknowns (thank you Rumsfeld). I read through the WASS data yesterday and found it matched nicely with my experience. I’ve been working in app sec for a few years now, using the full gamut of threat modeling, static code analysis and manual testing. I see white box testing progressing along Stu Feldman’s maturity model:

1. You have a good idea.
2. You can make it work.
3. You convince a gullible friend to try it.
4. People stop asking why you’re doing it.
5. People start asking others why they aren’t doing it.

In the not too distant future, the companies that aren’t doing white box testing will be the outliers.

Black box testing has too many unknowns and they are mostly unknown unknowns (thank you Rumsfeld).

]]>