_edited.png)
Very often, when we talk about "cybersecurity", we immediately think of "pentest" (for penetration testing).
Pentesting (or "ethical hacking", black box audit) is an intrusion test, the objective of which is to simulate a cyber attack in real conditions, in order to detect vulnerabilities in the computer network, vulnerabilities that could be exploited by malicious attackers.
The pentest is therefore, in other words, a security audit. The purpose of a security audit is to assess the level of security of a network infrastructure, to identify potential entry points for malicious actors, in order to correct these flaws.
There are three main types of security audit: the black box audit (the pentest), the grey box audit, and the white box audit, each of which has its own particularities.
Black box audit (or pentest)
As explained above, the black box audit is a penetration test, a security audit, which has the particularity of simulating a computer attack as close as possible to real conditions.
Thus, no information is given to the testers before they carry out the attack, they only have at their disposal a company name, possibly an IP address or a URL.
So-called "ethical" hackers put themselves in the shoes of an attacker who would target a particular company. As the attacker (i.e. the consultant) has no information about the company, the scope of the attack can be very broad, although it is still possible to pre-define the scope of the audit.
This audit is considered to be one of the simplest to carry out: indeed, it requires very little preparation and is quick to carry out as the tester does not need to know the internal workings of the company. The black box audit is often considered to be the least intrusive of the three types of audit.
Exploitation of security loopholes
As explained earlier, the black box audit is often considered to be the least intrusive of the three types of audit, as the architecture, configuration documents, etc. are not shared with the consultants.
However, a black box audit can also go as far as exploiting the flaw (depending on the request of the audited organisation): it then becomes much more intrusive. For example, in some pentest-type security audits, cybersecurity consultants exploit the security flaws discovered and demonstrate how they were able to access and encrypt customer data, for example, or how they were able to infect and stop all digital activity in the company: the consultant discovers the flaw, exploits it, and provides proof of exploitation, thus becoming a little more intrusive.
The black box audit remains the most superficial of the three: as the source codes are not studied, it is not possible, in the event of a problem, to know which source code is involved. It can also be redundant, if the company carries out other tests, and as the elements analysed during a black box audit are generally included in the other tests.
In addition, the results of a black box audit do not allow the formulation of contextualised remedial measures.
White box audit
The white box audit is the opposite of the black box audit. In this type of audit, no pentesting or penetration testing as such is carried out. It is mainly an in-depth analysis of the security of the information systems. This audit provides a complete assessment of internal and external network vulnerabilities. For this type of audit, the consultant has all the information he needs at his disposal to carry out his analysis: network architecture documents, administrator access to certain servers, access to source codes, etc. The tester must be able to see the network's security and the vulnerabilities that exist. The tester must be able to have a global view of the functioning of the information system and the application, and the elements that make them up.
By carrying out this type of audit, it is then possible to see which line of code is being used for each feature, the idea being that by testing all the test scenarios, all the lines of code are checked.
This audit is particularly useful during the development of a digital product or application, but its usefulness remains valid throughout the various life cycles of a product/project.
As with a black-box audit, it is possible to define an audit scope for a white-box audit. However, as long as the consultant has access to all architecture and configuration documents, the white box audit will still be the more comprehensive of the two, even when auditing a pre-defined scope.
The white-box audit remains the more exhaustive of the three, as it allows the entire system to be tested without leaving anything out. This audit also makes it possible to detect vulnerabilities that may have been intentionally hidden by the developer/designer/editor.
However, this audit is the most complex and time-consuming of the three, and also the one that requires the greatest involvement from the organisation's management.
Grey box audit
This type of audit combines the advantages of the two previous approaches.
It is an intermediate level of auditing, in which the attackers have at their disposal some information about the company or about their target (access to a user account for example). The tester here knows the role of the system and its various functionalities, and has a relative knowledge of the company's internal mechanisms. However, unlike the white-box audit, the tester does not have access to the source code.
Here again, the attack is carried out as close as possible to real conditions: the information that ethical hackers have at their disposal is information that they could have found online, or through various phishing techniques.
Pentest or white box audit ?
Black box audit / pentest | White box audit |
Carrying out a pentest, simulating a computer attack | Conducting an in-depth analysis |
No information is given to the attacker | All necessary information is provided to the consultant |
Reports symptoms, consequences | Reports the source of the problem |
Vulnerability report of varying completeness | Comprehensive vulnerability report + explanations of causes and proposed corrections |
An attacker's perspective | A network administrator's point of view |
Difficult to propose contextualised remedial measures | Relevance of proposed remedial countermeasures as they are put into context |
Does not require much management involvement | Requires significant management involvement |
Disadvantage: not very comprehensive audit, so critical vulnerabilities may be missed | Disadvantage: very exhaustive audit: long and sometimes difficult to frame |
To conclude
Pentesting remains a very useful method for verifying the effectiveness of the implementation of countermeasures, following a white-box audit and remediation campaign. In particular, it allows us to verify, following a white-box audit, that the corrective measures implemented are effective and relevant.
However, it cannot be at the heart of a cybersecurity strategy, as its superficiality does not allow it to create a real perennial security.
The white-box audit has the advantage of allowing a more precise detection of the problems but also of the sources of the problem, and its exhaustiveness guarantees more relevance. Although its implementation and progress are much longer (especially for larger companies whose information systems are sometimes very complex), it allows a more global and complete vision.
A good cybersecurity strategy is therefore based on the appropriate use of white, grey or black box audits, depending on the context, the need and the objectives of the audited organisation.
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our cybersecurity audit services!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed about our news and receive our latest blog posts directly in your mailbox? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!