The terms black box, white box, or gray-box are used to classify a type of penetration test in the security industry. Gray Box testing is by far the most common type of penetration testing conducted by third-party testing firms today. On a side note, if you are more interested in contrasting the three types of tests, you can read our comparisons article: Gray Box vs. Black Box vs. White Box.
What is a Gray Box test?
In short, a gray-box test strikes a balance between emulating an attacker and auditing the security controls. It aims to efficiently test a breadth of security controls to identify vulnerabilities in the target system. This means that the penetration testing team will begin the test with certain assumptions. For example, it is typical for the gray-box penetration testing team to be provided with valid user accounts rather than having to social engineer them.
Is Gray Box Penetration Testing Valid?
Gray-Box penetration testing is the most widely conducted and accepted form. Third-party regulatory or compliance tests such as those required by PCI-DSS or HIPAA should be gray-box tests.
So Why Gray Box?
In most cases, the preferred approach in this industry is gray-box testing. But you might be asking yourself right now:
- Wouldn’t a black box test give us a better idea of what a random/external attacker could do to our system/application?
- Wouldn’t a white box test give us better coverage?
The answer to both of those questions is yes, and there are times when those methods can make more sense. Still, in general, gray-box testing can yield the best real-world results in a way that’s practical for all involved because it will provide clients the coverage they need, at the best possible cost value, in the quickest turnaround time frame possible. This makes a gray-box penetration test the general-purpose go-to testing methodology for most systems and applications.
