Assessment methodology and approach

B
Blueinfy SolutionsWeb Security Products, Consulting & Training Company
Methodologies and Challenges
DAST & SAST
Auto + Manual (must)
Methodologies
OWASP’s Risk Picture
Application Security Cycle
Architecture Blackbox
WhiteboxDefense
Architecture Review
Design Review
Technology Review
Threat modeling Assessment
Audit controls
Penetration tests
Deployment tests
Configuration review
Deployment review
Code review
Threat correlationSecure coding
Configuration lockdown
Content filtering
Threat mitigation
Methodology, Scan and Attacks
Footprinting & Discovery
Enumeration & Crawling
Attacks and Scanning
Config Scanning
Web Firewall
Secure Coding
Assets
Secure Assets
Black White
Defense
Code Scanning
Blackbox
Footprinting & Discovery
Profiling & Vulnerability assessment
Manual Attacks Auto Attacks
Defense
Exploit
Review flow
Architecture Review
Scoping
Footprinting
Discovery
Enumeration & Profiling
Security Controls & Cases
Vulnerability Assessment
Threat Modeling
Mitigation strategies
Reporting
Sample Security Control Categories – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
Challenges
• Technology fingerprinting
• Hidden calls
• Framework integration
• Entry points are multiple
• Traditional fuzzing will not work
• Auto assessment can be challenge
• Behavioral assessment with Artificial
intelligence
Whitebox
Identified threats
Identifying configuration and code blocks
Configuration review Code review
Security control
Vulnerability detection
Review flow
Architecture Review
Scoping
Threat Modeling
Code Enumeration
Security Controls & Cases
Entry Point Discoveries
Class, Function & Variable
Tracing
Code Mapping and
Functionality
Vulnerability Detection
Mitigation Controls
Reporting
Sample Security Control Categories – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
Defense
Vulnerabilities
Identifying configuration and code blocks
Code controls Configuration locks
Defense strategies and policies
Content filtering
Challenges
• JavaScript code analysis
• Logic on Client
• Reverse engineering on code – Flash,
Silverlight or Ajax
• Server side issues and source code analysis
• Web Services a major concern and its source
security
Challenges
• Filtering required for different streams
• Code security on client side is needed as well
• Browser and DOM security
• Web application firewall – web 2.0 stream
protection
• Overall new approach for entry point analysis
Web 2.0 Challenges
• How to identify possible hosts running the application? –
Cross Domain.
• Identifying Ajax and RIA calls
• Dynamic DOM manipulations points
• Identifying XSS and XSRF vulnerabilities for Web 2.0
• Discovering back end Web Services - SOAP, XML-RPC or REST.
• How to fuzz XML and JSON structures?
• Web Services assessment and audit
• Client side code review
• Mashup and networked application points
WhiteBox vs. BlackBox
• Scope of coverage
– Blackbox method uses crawling and spidering to
determine all possible resources
– Application assets are residing in JavaScript and various
other tags in HTML, it makes asset detection very difficult
and blackbox approach fails in many cases.
– If one is using whitebox approach then not a single line of
code will get missed and scope can be covered at 100%.
Whitebox can do much better job when comes to covering
the scope of the source.
WhiteBox vs. BlackBox
• Discovery and Detection
– Blackbox testing uses signature analysis for vulnerability
detection. Example, it looks for ODBC error for SQL
injection and so on.
– If errrors are missing …
– Blackbox fails in those cases
– Whitebox good to go
WhiteBox vs. BlackBox
• Accuracy of Vulnerability
– Accuracy of vulnerability is very important as well.
– Blackbox is inaccurate in some cases
– Came up false +/-
WhiteBox vs. BlackBox
• Cause Identification
– One of the major challenges is to identify actual cause of
the vulnerability.
– Blackbox shows symptoms
– Whitebox can pin point the cause
Conclusion
1 of 19

Recommended

Simplified Security Code Review Process by
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
6K views105 slides
SAST vs. DAST: What’s the Best Method For Application Security Testing? by
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
4.2K views1 slide
Secure code practices by
Secure code practicesSecure code practices
Secure code practicesHina Rawal
273 views33 slides
Getting Started with API Security Testing by
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
19.3K views29 slides
Application Security by
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
1.2K views96 slides
Introduction to Web Application Penetration Testing by
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
2.2K views27 slides

More Related Content

What's hot

Top 10 Web Security Vulnerabilities (OWASP Top 10) by
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
23.1K views27 slides
Web Application Security Testing by
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
17.6K views39 slides
Web application security & Testing by
Web application security  & TestingWeb application security  & Testing
Web application security & TestingDeepu S Nath
10.1K views36 slides
Web Application Penetration Testing by
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
912 views25 slides
Api security-testing by
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
774 views24 slides
Web Application Security by
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
49K views181 slides

What's hot(20)

Top 10 Web Security Vulnerabilities (OWASP Top 10) by Brian Huff
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff23.1K views
Web Application Security Testing by Marco Morana
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana17.6K views
Web application security & Testing by Deepu S Nath
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
Deepu S Nath10.1K views
Web Application Penetration Testing by Priyanka Aash
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash912 views
Web Application Security by Abdul Wahid
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid49K views
Security testing by baskar p
Security testingSecurity testing
Security testing
baskar p24K views
OWASP Top 10 2021 What's New by Michael Furman
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman3.6K views
Penetration testing reporting and methodology by Rashad Aliyev
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev5.3K views
Introduction To OWASP by Marco Morana
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana3.4K views
Vulnerability assessment & Penetration testing Basics by Mohammed Adam
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam2K views
Security testing presentation by Confiz
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz8.1K views
OWASP Top 10 And Insecure Software Root Causes by Marco Morana
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana11.4K views
Dom based xss by Lê Giáp
Dom based xssDom based xss
Dom based xss
Lê Giáp3K views
What is security testing and why it is so important? by ONE BCG
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG396 views
Thick Client Penetration Testing.pdf by SouvikRoy114738
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738495 views
Owasp Top 10 And Security Flaw Root Causes by Marco Morana
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana5.5K views

Similar to Assessment methodology and approach

Secure SDLC for Software by
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
5.9K views86 slides
AppSec 2007 - .NET Web Services Hacking by
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
5.9K views36 slides
CSS 17: NYC - Protecting your Web Applications by
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
255 views31 slides
OWASP top 10-2013 by
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
12.7K views41 slides
CSS17: Houston - Protecting Web Apps by
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
614 views30 slides
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al by
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
99 views30 slides

Similar to Assessment methodology and approach(20)

Secure SDLC for Software by Shreeraj Shah
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah5.9K views
AppSec 2007 - .NET Web Services Hacking by Shreeraj Shah
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
Shreeraj Shah5.9K views
CSS 17: NYC - Protecting your Web Applications by Alert Logic
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic 255 views
OWASP top 10-2013 by tmd800
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd80012.7K views
CSS17: Houston - Protecting Web Apps by Alert Logic
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic 614 views
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al by Alert Logic
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic 99 views
Vulnerabilities in modern web applications by Niyas Nazar
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar1.5K views
The path of secure software by Katy Anton by DevSecCon
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon227 views
Web 2.0 Hacking by blake101
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
blake101532 views
Web Application Penetration Test by martinvoelk
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
martinvoelk448 views
Root conf digitalskimming-v4_arjunbm by Arjun BM
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbm
Arjun BM525 views
EISA Considerations for Web Application Security by Larry Ball
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball510 views
Web application security - Course overview by Satish b
Web application security - Course overviewWeb application security - Course overview
Web application security - Course overview
Satish b3.8K views
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services by Shreeraj Shah
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah82K views
香港六合彩 by baoyin
香港六合彩香港六合彩
香港六合彩
baoyin564 views
Integrating security into the application development process by Jerod Brennen
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
Jerod Brennen1.7K views
Web hackingtools 2015 by devObjective
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
devObjective1.3K views
Mobile application security and threat modeling by Shantanu Mitra
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra1.5K views
Making Web Development "Secure By Default" by Duo Security
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
Duo Security873 views

More from Blueinfy Solutions

Mobile Application Scan and Testing by
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
1.3K views65 slides
Mobile security chess board - attacks & defense by
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
2.5K views89 slides
Mobile code mining for discovery and exploits nullcongoa2013 by
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
1K views80 slides
iOS Application Security Testing by
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
1.9K views65 slides
Html5 on mobile by
Html5 on mobileHtml5 on mobile
Html5 on mobileBlueinfy Solutions
1K views50 slides
Android secure coding by
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
1.3K views20 slides

More from Blueinfy Solutions(20)

Mobile security chess board - attacks & defense by Blueinfy Solutions
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions2.5K views
Mobile code mining for discovery and exploits nullcongoa2013 by Blueinfy Solutions
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Automation In Android & iOS Application Review by Blueinfy Solutions
Automation In Android & iOS 	Application Review�Automation In Android & iOS 	Application Review�
Automation In Android & iOS Application Review
Blueinfy Solutions1.5K views
Applciation footprinting, discovery and enumeration by Blueinfy Solutions
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions2.4K views

Recently uploaded

"Node.js Development in 2024: trends and tools", Nikita Galkin by
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin Fwdays
17 views38 slides
Uni Systems for Power Platform.pptx by
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptxUni Systems S.M.S.A.
58 views21 slides
Melek BEN MAHMOUD.pdf by
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdfMelekBenMahmoud
17 views1 slide
Unit 1_Lecture 2_Physical Design of IoT.pdf by
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdfStephenTec
15 views36 slides
Scaling Knowledge Graph Architectures with AI by
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
50 views15 slides
Case Study Copenhagen Energy and Business Central.pdf by
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdfAitana
17 views3 slides

Recently uploaded(20)

"Node.js Development in 2024: trends and tools", Nikita Galkin by Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays17 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec15 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana17 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56122 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2218 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 -  Week 3 Session 5Business Analyst Series 2023 -  Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10345 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman38 views
The Forbidden VPN Secrets.pdf by Mariam Shaba
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdf
Mariam Shaba20 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views

Assessment methodology and approach

  • 1. Methodologies and Challenges DAST & SAST Auto + Manual (must)
  • 4. Application Security Cycle Architecture Blackbox WhiteboxDefense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlationSecure coding Configuration lockdown Content filtering Threat mitigation
  • 5. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  • 6. Blackbox Footprinting & Discovery Profiling & Vulnerability assessment Manual Attacks Auto Attacks Defense Exploit
  • 7. Review flow Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 8. Challenges • Technology fingerprinting • Hidden calls • Framework integration • Entry points are multiple • Traditional fuzzing will not work • Auto assessment can be challenge • Behavioral assessment with Artificial intelligence
  • 9. Whitebox Identified threats Identifying configuration and code blocks Configuration review Code review Security control Vulnerability detection
  • 10. Review flow Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 11. Defense Vulnerabilities Identifying configuration and code blocks Code controls Configuration locks Defense strategies and policies Content filtering
  • 12. Challenges • JavaScript code analysis • Logic on Client • Reverse engineering on code – Flash, Silverlight or Ajax • Server side issues and source code analysis • Web Services a major concern and its source security
  • 13. Challenges • Filtering required for different streams • Code security on client side is needed as well • Browser and DOM security • Web application firewall – web 2.0 stream protection • Overall new approach for entry point analysis
  • 14. Web 2.0 Challenges • How to identify possible hosts running the application? – Cross Domain. • Identifying Ajax and RIA calls • Dynamic DOM manipulations points • Identifying XSS and XSRF vulnerabilities for Web 2.0 • Discovering back end Web Services - SOAP, XML-RPC or REST. • How to fuzz XML and JSON structures? • Web Services assessment and audit • Client side code review • Mashup and networked application points
  • 15. WhiteBox vs. BlackBox • Scope of coverage – Blackbox method uses crawling and spidering to determine all possible resources – Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. – If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.
  • 16. WhiteBox vs. BlackBox • Discovery and Detection – Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. – If errrors are missing … – Blackbox fails in those cases – Whitebox good to go
  • 17. WhiteBox vs. BlackBox • Accuracy of Vulnerability – Accuracy of vulnerability is very important as well. – Blackbox is inaccurate in some cases – Came up false +/-
  • 18. WhiteBox vs. BlackBox • Cause Identification – One of the major challenges is to identify actual cause of the vulnerability. – Blackbox shows symptoms – Whitebox can pin point the cause