What is this color box testing you are wondering? These are the terms used to explain what type of testing you are doing.
White Box Testing –
Provides the testers with complete knowledge of the product or infrastructure to be tested. Often information provided to the testers includes architectural specifications, source code, infrastructure information including network diagrams and IP addressing information.
- Due to the tester's knowledge about the code, maximum coverage is attained during test scenario writing.
- Knowledge of the source code, it becomes very easy to find out which type of data can help in testing the application effectively.
- It helps in optimizing the code.
- Extra lines of code can be removed which can bring in hidden defects.
- Because of specialized tools like code analyzers and debugging tools that are required, it is difficult to maintain white box testing
- Sometimes it is impossible to look into every nook and corner to find out hidden errors that may create problems as many paths will go untested.
- Increased cost due to the face a skilled tester is needed to perform white box testing
Black Box Testing -
Assumes no prior knowledge of the product or infrastructure to be tested. The testers must try to figure out the inner workings of the product or infrastructure based on analysis of packaged documentation, shipped assemblies, inputs and outputs.
There is no such thing called an ideal pentester, but one could certainly try to become much smarter, well-rounded up pentester by getting the proper guidance and pin point of various key aspect of penetration testing.
- Large numbers of moderately skilled testers can test the application with no knowledge of implementation, programming language or operating systems.
- Well suited and efficient for large code segments.
- Code Access not required.
- Clearly separates user's perspective from the developer's perspective through visibly defined roles.
- Since only a selected number of test scenarios are actually performed there is limited coverage
- Since the tester cannot target specific code segments or error prone areas, there is some blind coverage.
- The test cases are difficult to design.
- Due to the fact that the tester only has limited knowledge about an application, the test is no as efficient.
There are also several variations in between, often known as grey box tests. Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on the amount of information provided to the testing party.
- The test is done from the point of view of the user and not the designer.
- Based on the limited information available, a grey box tester can design excellent test scenarios especially around communication protocols and data type handling.
- Offers combined benefits of black box and white box testing if and when possible.
- Because Grey box testers rely on interface definition and functional specifications, they don't rely on the source code.
- The tests can be superfluous if the designer has already run a test case.
- The ability to go over the code and test coverage is limited since the access to source code is not available
- Testing every possible input stream is unrealistic because it would take an unreasonable amount of time; therefore, many paths will go untested.