Subscribe by Email

Tuesday, March 6, 2012

What are different methods and techniques used for security testing at white box level?

It requires a great deal of efforts to harness a good level of security. To obtain good security statistics one has to follow a proper approach to the testing. Like for any other kind of software testing one need to decide for security system also that who will carry out the testing and what approach has to be followed. Carrying out the security testing at the white box level is not at all easy as it is very complex and detailed.

Basically till now two basic approaches have been identified for the security testing at the white box level and these have been mentioned below:

1. Functional Security Testing
- This approach to testing is usually followed by the standard testing organizations. - It deals with the checking of the features and functionalities of the software system or application for determining that whether or not they are working as stated. - This sounds like a very classic approach to security testing.

2. Risk Based Security Testing
- This is a more traditional approach to security testing and is followed usually by the quality assurance staff.
- This approach is quite difficult as compared to the previous mentioned approach.
- The main problem here is of the expertise of the testers since this approach calls for great skills in testing.
- Firstly to design the security tests which can completely exploit the vulnerabilities are difficult to be designed since for this it is required that the tester thinks like an attacker.
- Secondly, the security tests do not exploit the security of the software system or application directly and this causes a problem to observe the outcomes of a security test.


1. A security test carried out without much precaution and logic can cause the whole security testing go wrong and this in turn can lead the software tester to carry out even more complicated test processes to counteract such a situation.

2. Risk based testing requires more skills than experience.

3. Most of the security testing methodologies or techniques that we use at the white box level are traditional and some of them have become out dated.

4. On the other hand the security exploitation techniques used by the attackers have become sophisticated day by day and the traditional methods used to cope these issues are becoming extinct.

5. Security testing at both the black box level and white box level tend to have a better understanding of the software system or application but different approaches are followed at both the levels.

6. The different approach followed by them is decided on the basis of the access of the source code i.e., whether or not the tester is having access to source code.

7. Security testing at the white box level is concerned with the rigorous analyzation of the source code of the software program as well its design.

8. It basically deals with finding the errors in the security mechanism of the software system.

9. In very rare cases it happens that this approach involves the matching of the patterns and automation of the whole testing process by implementing a static analyzer.

10. One peculiar drawback has been discovered for this kind of testing which is that this kind of testing sometimes may report a bug in some part of the software but actually there exists no such bug.

11. But still security testing at white box level using static analysis methods and techniques proves good for some software systems and applications.

12. Risk based testing calls for a lot of understanding of the whole software system.

13. After all, the product security is very much essential to the reputation of the company.

No comments:

Facebook activity