Befo­re per­forming a pene­tra­ti­on test, the ques­ti­on ari­ses as to how the pen­test should be per­for­med. Here, pen­tes­ters distin­gu­ish bet­ween the fol­lo­wing approaches:

  1. Black­box test
  2. White­box test
  3. Gray­box Text

Which test is best sui­ted for an audit?

Black box or black box test

With this pene­tra­ti­on test method, the pen­tes­ter does not recei­ve any infor­ma­ti­on about the sys­tems in ope­ra­ti­on, neither which fire­wall is in use nor which exter­nal ser­vices the com­pa­ny uses. The­r­e­fo­re, the pen­tes­ter has to spend more time on rese­arch. For this pur­po­se, pen­tes­ters also use back­ground infor­ma­ti­on about the com­pa­ny from the dark­net and spe­cial search engi­nes such as Shodan.

Cus­to­mers like to use this test­ing approach to find out what infor­ma­ti­on real hackers can find out about the com­pa­ny. For lia­bi­li­ty reasons, howe­ver, the cus­to­mer must always dis­c­lo­se the actu­al IP addres­ses of its infra­struc­tu­re, and aut­ho­ri­ze the audit com­pa­ny with a decla­ra­ti­on of aut­ho­riza­ti­on for the pen­test attack.

The advan­ta­ges:

  • Cus­to­mers learn what infor­ma­ti­on Inter­net and dark­net are stored about the company

  • The time requi­red for the cus­to­mer to pro­vi­de infor­ma­ti­on and coor­di­na­ti­on is minimal

  • The result report is from the point of view of a hacker

Dis­ad­van­ta­ges and the cost factor:

  • Due to the lack of coor­di­na­ti­on, the­re is no prio­ri­tiza­ti­on of which ser­vices are par­ti­cu­lar­ly cri­ti­cal and requi­re more or less test­ing effort

  • The rese­arch is time-con­sum­ing and the­r­e­fo­re a black box test is more expen­si­ve than a white or gray box test

  • The black box test is not sui­ta­ble for test­ing inter­nal secu­ri­ty-rele­vant algo­rith­ms of the applications.

White box or white box test

During the white­box test, the­re is an inten­si­ve exch­an­ge of infor­ma­ti­on bet­ween the ope­ra­tor and the pen­tes­ter about the IT infra­struc­tu­re used, the secu­ri­ty infra­struc­tu­re, the IT ser­vices and authen­ti­ca­ti­on methods. Often, pro­tec­ti­ve mea­su­res such as fire­wall IPS are dis­ab­led in advan­ce to allow the secu­ri­ty scan to run effi­ci­ent­ly. To test web appli­ca­ti­ons, the pen­tes­ter often also recei­ves dif­fe­rent acti­ve user IDs to run within a web appli­ca­ti­on, for exam­p­le, the OWASP Top 10 attacks. Often the pen­tes­ter also gets insight into source code or inter­nal configurations.

This test­ing approach is very effi­ci­ent! The pen­tes­ter actively com­mu­ni­ca­tes with the cus­to­mer and tests the IT ser­vices and appli­ca­ti­ons in gre­at depth. The results can go as far as recom­men­da­ti­ons for the soft­ware deve­lo­pers, as log­in func­tions, authen­ti­ca­ti­on and under­ly­ing algo­rith­ms are also dis­cus­sed. By sha­ring infor­ma­ti­on about the infra­struc­tu­re, the pen­tes­ter can make struc­tu­ral recom­men­da­ti­ons about net­work design and secu­ri­ty infra­struc­tu­re, which is often not pos­si­ble with a black box test.

Many advan­ta­ges:

  • Cus­to­mers can prio­ri­ti­ze IT ser­vices and com­mu­ni­ca­te with the pen­tes­ter in advance
  • White­box tests are more effi­ci­ent and cost-effec­ti­ve than black­box tests in terms of pen­test results
  • Cus­to­mers recei­ve soft­ware deve­lo­p­ment recom­men­da­ti­ons on secu­re coding and secu­re design
  • The pen­tes­ter can make recom­men­da­ti­ons on the net­work archi­tec­tu­re and the 3‑tier appli­ca­ti­on architecture

  • Through the exch­an­ge of infor­ma­ti­on bet­ween the cus­to­mer and the pen­tes­ter, inter­nal algo­rith­ms and APIs can also be eva­lua­ted in the results report.

  • Cus­to­mers learn more about the pentester’s attacks in advan­ce and can bet­ter moni­tor their services.

Also dis­ad­van­ta­ges:

  • The coor­di­na­ti­on effort is grea­ter (a few hours, up to 1–2 days)
  • Cus­to­mers need a detail­ed net­work plan and IT asset direc­to­ry, and they need to know exact­ly what the con­fi­gu­ra­ti­ons of the sys­tems are.
  • Often this con­fi­den­ti­al infor­ma­ti­on is not rea­di­ly shared externally

Gray­box / Gray-Box Test

In this mixed form bet­ween white-box and black-box test­ing, par­ti­al know­ledge about inter­nal infra­struc­tures is exch­an­ged. This includes at least the rele­van­ce of the published services.

The advan­ta­ges are obvious:

  • The pen­tes­ter nevert­hel­ess crea­tes a com­ple­te inven­to­ry of exter­nal ser­vices, but focu­ses pene­tra­ti­on test­ing on cri­ti­cal ser­vices with sen­si­ti­ve data
  • With the know­ledge of the infra­struc­tu­re and secu­ri­ty infra­struc­tu­re, the audi­tor can make spe­ci­fic recom­men­da­ti­ons on the architecture
  • The test pha­se is signi­fi­cant­ly shor­ten­ed com­pared to a black box test
  • Inva­si­ve test methods that dis­rupt or block ser­vices (e.g. DoS attacks) can be eva­lua­ted in advance

The dis­ad­van­ta­ges:

  • Over­co­ming the first peri­me­ter takes lon­ger, so the­re is less time to inten­si­ve­ly test sys­tems behind it
  • Gray­box tests pro­du­ce fewer results and recom­men­da­ti­ons when mea­su­red over the same time as white­box tests

  • Gray­box tests can only be used to test inter­nal algo­rith­ms bet­ween sys­tems (e.g. inter­nal APIs, inter­nal cryp­to­gra­phy usa­ge, backend com­mu­ni­ca­ti­on with third par­ty sys­tems) to a limi­t­ed extent

What does a pen­test cost?

The cost of a pene­tra­ti­on test also results from the time spent on the fol­lo­wing services:

  1. The pre­pa­ra­ti­on time and arran­ge­ments with the customer.
  2. The set­up of the secu­ri­ty scan­ner and the auto­ma­ted scan­ning tools
  3. The time for the manu­al pene­tra­ti­on tests into the customer’s sys­tems by the pentester
  4. The report pre­pa­ra­ti­on and coor­di­na­ti­on of the draft report
  5. The final presentation

Small pen­test pro­jects can alre­a­dy be offe­red with an effort of 2–3 days due to the high degree of auto­ma­ti­on of pha­se 2. For black box tests, addi­tio­nal hours or days are nee­ded for rese­arch. The tur­n­around time is usual­ly around 1 week.

For medi­um-sized pro­jects or more deman­ding IT ser­vices, 5–7 days or more should be inves­ted in the pen­test. The secu­ri­ty scan includes, among other things, an extern­al­ly crea­ted ser­vice inven­to­ry and can run for many days if the­re are a lar­ge num­ber of IP addres­ses. During this time, the pen­tes­ter moni­tors the scan­ner, but the­re is usual­ly no work time invol­ved. The working time is focu­sed exclu­si­ve­ly on pha­se 1, 3, 4 and 5.

Lar­ge pen­test pro­jects with a lar­ge num­ber of IP addres­ses or the test­ing of very deman­ding web appli­ca­ti­ons can also take 10+ days. If you sche­du­le or invest too few days for the pen­test, the­re is a risk that the pen­tes­ter will not be able to iden­ti­fy rele­vant vul­nerabi­li­ties in the given time and the test will be incom­ple­te as a result. For lar­ge pen­tests, the tur­n­around time can also be 3–4 weeks.