Penetration test assignments are classified based on the level of knowledge and access granted to the penetration tester at the beginning of the assignment. It could be black-box testing, where the expert is given minimal knowledge of the target system, to white-box testing, where the expert is granted a high level of knowledge and access. This differences of knowledge makes testing methodologies ideal for different situations.
In a black-box testing, the penetration tester is placed in the role of the real hacker, with no internal knowledge of the target system, except name of the target site. Experts are not provided with any architecture diagrams or source code that is not publicly available. A black-box penetration test determines the vulnerabilities in a system that are exploitable usually from outside the network.
A gray-box tester has the access and knowledge levels of a user, potentially with elevated privileges on a system. Gray-box penetration tester typically have some knowledge of a network’s internals, including an account internal to the network. The purpose of gray-box penetration testing is to provide a more focused and efficient testing of a network’s security than a black-box assessment. Using the design documentation for a network, experts can focus their assessment efforts on the systems with the greatest risk and value from the start, rather than spending time determining this information on their own. An internal account on the system also allows testing of security inside the hardened perimeter and simulates an insider with longer-term access to the network.
White-box penetration testers are able to perform static code analysis, using source code analyzers, debuggers and similar tools important for this type of testing. White-box penetration testing provides a comprehensive assessment of both internal and external vulnerabilities, making it the best choice for calculation testing.