Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

What Is Black-Box Security Testing?

DZone's Guide to

What Is Black-Box Security Testing?

Most developers are familiar with black-box testing, but, how does that apply in the security world? What is 'black-box security testing'? Read on to find out more.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Black-box security testing refers to a method of software security testing in which the security controls, defenses, and design of an application are tested from the outside-in, with little or no prior knowledge of the application’s internal workings. Essentially, black-box security testing takes an approach similar to that of a real attacker.

Since black-box security testing does not assume or have knowledge of the target being tested, it is a technology independent method of testing. This makes black-box security testing ideal for a variety of situations, particularly, when testing for vulnerabilities that arise from deployment issues and server misconfigurations.

In addition, black-box security testing offers the opportunity to cover a wide test coverage with a very low false-positives rate when compared to other testing methodologies.

An automated web application black-box security test would start by collecting information about the target. This is typically accomplished by crawling the web application for all links, taking a note of all inputs present on a page, as well as attempting to fingerprint specific technologies the web application is making use of.

The crawling stage is imperative to an automated black-box security test since this is where the black-box scanner will identify what inputs to test. A black-box security scanner will typically use a mixture of passive (typically, during the crawl) and active (typically, post-crawl) vulnerability testing techniques.

Alerts raised by a black-box security scan will then provide detailed information about vulnerabilities discovered, as well as remediation advice.

black-box security testing

Beyond one-off black-box security tests and PDF reports, automated black-box security testing tools are commonly integrated with issue trackers such as Atlassian JIRA, GitHub and Microsoft TFS; as well as Continuous Integration (CI) platforms such as Jenkins.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,security testing ,automated testing ,appsec

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}