0

When performing a security audit of one's own site is one of these methods of testing generally considered better? Would I be wasting my time by doing blackbox testing when I have access to information about the underlying system or are there benefits to blackbox testing one's own site?

Abe Miessler
  • 8,165
  • 10
  • 45
  • 72
  • 1
    See also: http://security.stackexchange.com/questions/7938/do-blackbox-penetration-tests-make-sense-if-a-whitebox-audit-would-be-possible-a –  Jun 30 '13 at 22:56

2 Answers2

0

Blackbox testing gives the perspective of an external attacker while whitebox testing generally gives the perspective of an internal attacker. Those perspectives have a big intersection but have exclusive coverages. Even whitebox testing tending to be easier to do and sounding more effective (not always true though, sometimes whitebox is much harder), tests created by an attacker with no inside information tend to follow a logical path that whitebox testing initially discard, creating a chance of overpassing a vulnerability.

Security is always a trade of cost and benefit. You need to put into balance the chance and the amount of damage of an internal attack versus the cost of whitebox testing. Also do the same thing for an external attacker and blackbox testing. Keeping this cost/benefit relation in mind you can choose one of the the approaches or even both

bcap
  • 348
  • 1
  • 2
  • 6
0

From the context of your question, I assume that this is your own site, hosted by your own server(s). I'll direct my answer based on that assumption, caveat that if my assumption is wrong, please let me know so that I can expand my answer accordingly.

As @Polaco said above, there is no harm in testing for both (if you have the resources to do so). For applications, I prefer to focus on roles, instead of the "black-box" vs "white-box" nomenclature. So, and this is particularly true for Web Applications, I will have an anonymous user role, an authenticated user role and an admin role. These roles are not absolute and can be expanded or shortened based on the complexity of your application. Testing multiple roles can assist you in determining risk at different layers.

I don't think you ever really "waste" time by testing black box. It is just that white-box may be more beneficial if time is limited.

Awhitehatter
  • 361
  • 1
  • 4