SlideShare a Scribd company logo

black-box testing is a type of software testing in which the tester is not concerned with the internal knowledge or implementation details of the software

Download as PPTX, PDF
K
KrishnaVeni451953

black-box testing is a type of software testing in which the tester is not concerned with the internal knowledge or implementation details of the software but rather focuses on validating the functionality based on the provided specifications or requirements.

Engineering
1 of 24
SHADES OF ANALYSIS 1. WHITE BOX TESTING 2. BLACK BOX TESTING 3. GREY BOX TESTING
WHITE BOX TESTING • White box testing, also known as glass box testing, clear box testing, or structural testing, • It is a software testing technique where the internal structure, design, and implementation of the software under test are examined. • In white box testing, testers have access to the source code and are able to design test cases based on the internal logic of the application.
• In the security world, this can also be thought of as an insider attack. • The tester has access to the source code and design documentation. This allows the tester to be efficient. • He can threat-model the system or do a line-by-line code review, looking for information to guide the selection of test data. • White box testing is the most efficient way to find security vulnerabilities. More information allows quicker and more complete generation of interfaces to test. • It also gives you an accurate picture of the system’s security because it doesn’t rely on security by obscurity, which is the hope that attackers will never discover information about how a system works. • Security by obscurity is not real security. You should always assume that eventually all information about a system will be discovered or
• A well-designed and well-implemented system will still be secure. This is why good crypto algorithms can be published for review. They don’t rely on privacy for security. • “Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling,” described a process for working with architects and component owners to determine the software’s design. • That process should be followed before any white box testing takes place. Doing so will uncover the software’s attack surface and will show you what functionality was put in place to mitigate the risks that the attack surface poses. White box testing tests these mitigations.
• A sample mitigation is the security mechanism put in place to counter the threat of inadequate randomness in a session identifier. • After this mitigation is discovered through the threat-modeling process, the security tester can inspect the code that generates the session identifier. • This usually is not enough because small mistakes that can be difficult to determine by inspecting the code can cause the randomness to be weak and vulnerable. • A white box test would be to automate the process of creating a new session and to record the session identifiers that are generated. These identifiers can then be subjected to a mathematical analysis to see if they are truly random.
Key aspects of white box testing include: • Understanding of Internal Logic • Code Coverage • Test Case Design • Knowledge of Programming Languages • Unit Testing • Integration Testing
Benefits: White box testing can uncover hidden errors, ensure comprehensive test coverage, and help improve the quality and reliability of the software. Challenges: White box testing requires detailed knowledge of the internal implementation, which may not always be feasible or practical. Additionally, changes to the code may necessitate updates to the test cases, making maintenance challenging.
Black box testing • Black box testing is a software testing technique where the internal structure, design, and implementation of the software under test are not known to the tester. • Instead, the tester interacts with the software as an end-user would, focusing on testing the functionality and behavior of the system without knowledge of its internal workings.
• Black box testing involves examining the system as an outsider would, using tools to detect the attack surface and probe the system for internal information. • With no internal knowledge of the system, the tester builds an understanding of the system. • Information leakage is especially important to the black box tester because it helps him build more understanding than he would otherwise get by manipulating a leak-free program. • Many testers swear by black boxing techniques to complement white box testing. If too much emphasis is given to specifications and design documentation, the tester may miss parts of the system that were built incorrectly or were not included in the documentation.
• This out-of-spec functionality may harbor security flaws that must be discovered. • Black box testing lets the tester probe all of the attack surface and generate test data for functionality that may not be in the design. • A common mistake is not removing debug-only commands before production. Another is to throw in last-minute functionality that is not properly documented in the design. • Black box testing can find flaws in these cases that would otherwise go unnoticed by the white box tester. • Black box testing can be used when a system is deliberately using security by obscurity to help protect information, as is often the case in digital rights management (DRM) systems.
• Software-only DRM is impossible to completely secure because the attacker has control of the system where the DRM software is executing. • The best a DRM manufacturer can hope for is to raise the bar for a successful attack so high that a would-be attacker gives up. • Black box testing by a skilled reverse-engineering team is often used to test the strength of the obscurity used. • This typically requires expertise outside the norm for a quality assurance team and can be expensive. However, for DRM systems, it is necessary to demonstrate the efficacy of the obfuscation used.
Key aspects of black box testing include: • Independence from Internal Implementation • Test Case Design • Functional Testing- validating the system against the functional specification and requirements • Boundary Value Analysis-testing the values at extreme boundaries of input domain • User-Centric Perspective • Regression Testing-process of testing the modified parts of the code
Benefits: Black box testing provides an unbiased assessment of the software's functionality, regardless of its internal implementation. It helps uncover defects and ensures that the software meets the specified requirements and user expectations. Challenges: Black box testing may not uncover certain types of defects related to the internal logic or implementation of the software. Additionally, designing comprehensive test cases without knowledge of the internal structure can be challenging.
GREY BOX TESTING • Grey box testing in software security involves assessing the security of a system with partial knowledge of its internal workings. • This approach combines elements of both white box and black box testing techniques to identify vulnerabilities and weaknesses in the software from a security standpoint. • Ideally both white box and black box techniques are used during security testing. • White box testing is used to discover flaws in functionality that were specified in the design and development. • Black box testing is used to discover flaws without having access to these application internals. Sometimes this combination is called gray box testing.
• The application security tester typically performs gray box testing to find vulnerabilities in software. Flaws due to design and flaws due to unspecified functionality are equally important to discover. Because the source code is available to the security tester, it should be used to improve productivity. • Running the software under test in a debugger is the perfect way to meld a running black box test with the source code to give the tester the advantage of the gray box. • In the Windows world, Microsoft Developer Studio is typically the debugger of choice if debug symbols and source code are available. • It allows the tester to navigate easily through the stack and memory to explore complex variables such as classes and structures. • In the UNIX world, gdb is typically used for this purpose.
• As soon as the software is running in the debugger, the normal tools of black box testing can be brought to bear on the executing program. Fuzzers or automated regression suites are typically deployed for this. • The tester can set break points on lines of code that are dangerous to see if they can be reached with external input to the program. • These dangerous lines of code can be discovered with a code review or simply by greping or searching the code. • An example of a dangerous code is a sprintf statement in a C program that has a %s in the format string. • If the source buffer that is copied to the destination buffer is too large, a buffer overflow condition occurs. But not every sprintf statement with this condition can be exploited. Gray box testing lets you find the lines of code that are truly exploitable.
EXAMPLE ?SomeFunction(char *input) { .. char dest[50]; .. sprintf(dest, "The output is %s", input); .. }
• The preceding might be an exploitable problem, but sometimes you cannot easily determine from source code if that is true. • The path user input takes to get to the input variable can be complex. A break point can be set on this and any other similar lines of code. • Then the fuzzer or another automated test can be run to see if any of the break points are hit. • If a break point is hit, the stack can be inspected to see what the control flow was to reach that point and if any validation is placed on the input. • If there isn’t, the test input can be manipulated to determine if the vulnerable line of code can be reached with data that causes an exploitable condition.
• If issues are discovered during the development of the code, it is almost always a good idea to just fix the potentially exploitable code. • But many development teams are loathe to fix issues that might be a problem in code that has already shipped to the customer or that was put into production due to the patching cost. • A gray box approach to finding vulnerabilities gives critical exploitability information to the development team. • This helps them make an informed decision about fixing a potential vulnerability in the code.
Setting Up a Lab for Testing • A dedicated lab with the appropriate hardware and software tools is essential for efficient security testing. Many of these tools are open- source, so you can use them as a starting point for building customer clients. • VMware or other virtualization programs should be used to have standard installations of operating systems available. • A file server can store images. This way, the OS can be brought to a known good state.
• It is possible through fuzzing and other automated testing to corrupt configuration files, the Windows Registry, or even system binaries. • If this happens, you don’t want to suffer through a full reinstall. • A quick refresh with a saved VMware image can return you to the state you need to be in to continue testing. Fuzzers Open-Source • SPIKE (fuzzer framework with some prebuild protocol fuzzers) • Peachfuzz (another fuzzer framework) • Mangle (HTML fuzzer) • FileFuzz (file fuzzer) Commercial • beStorm • Codenomicon
Sniffers Open-Source • tcpdump • Ethereal (probably the only one you will need) • Snort (an intrusion detection system [IDS] that can be used as a sniffer) • Dsniff (a collection of tools that can sniff on a switched network) Commercial • AeroPeek • EtherPeak • Agilent Network Analyzer • Network General Sniffer (the original packet sniffer)
Debuggers Open-Source • gdb • Shareware • OllyDbg Commercial • Microsoft Developer Studio • SoftIce
Hardware • Obviously you need hardware that meets the requirements for the software to be tested. This may mean having Intel x86, PowerPC, or SPARC systems available. • Auditor (collection of security tools) • BackTrack (a combination of WHAX and Auditor) • Knoppix (large generic bootable CD) Commercial Testing Appliances • Mu-4000 Security Analyzer • Spirent ThreatEx

Recommended

Grey box testing in software security involves assessing the security of a sy...
Grey box testing in software security involves assessing the security of a sy...Grey box testing in software security involves assessing the security of a sy...
Grey box testing in software security involves assessing the security of a sy...KrishnaVeni451953
 
Week 14 Unit Testing.pptx
Week 14 Unit Testing.pptxWeek 14 Unit Testing.pptx
Week 14 Unit Testing.pptxmianshafa
 
WHITE BOX TESTING ashu.pptx
WHITE BOX TESTING ashu.pptxWHITE BOX TESTING ashu.pptx
WHITE BOX TESTING ashu.pptxAshutoshKumar899318
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentalsRaviteja Chowdary Adusumalli
 
Sorfware engineering presentation (software testing)
Sorfware engineering presentation (software testing)Sorfware engineering presentation (software testing)
Sorfware engineering presentation (software testing)1Arun_Pandey
 
Various types of software testing by kostcare | London | Waterloo
Various types of software testing by kostcare | London | WaterlooVarious types of software testing by kostcare | London | Waterloo
Various types of software testing by kostcare | London | WaterlooKostCare
 
White box black box & gray box testing
White box black box & gray box testingWhite box black box & gray box testing
White box black box & gray box testingHimanshu
 
Software testing methods
Software testing methodsSoftware testing methods
Software testing methodsHoma Pourmohammadi
 

Recommended

Grey box testing in software security involves assessing the security of a sy...
Grey box testing in software security involves assessing the security of a sy...Grey box testing in software security involves assessing the security of a sy...
Grey box testing in software security involves assessing the security of a sy...KrishnaVeni451953
 
Week 14 Unit Testing.pptx
Week 14 Unit Testing.pptxWeek 14 Unit Testing.pptx
Week 14 Unit Testing.pptxmianshafa
 
WHITE BOX TESTING ashu.pptx
WHITE BOX TESTING ashu.pptxWHITE BOX TESTING ashu.pptx
WHITE BOX TESTING ashu.pptxAshutoshKumar899318
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentalsRaviteja Chowdary Adusumalli
 
Sorfware engineering presentation (software testing)
Sorfware engineering presentation (software testing)Sorfware engineering presentation (software testing)
Sorfware engineering presentation (software testing)1Arun_Pandey
 
Various types of software testing by kostcare | London | Waterloo
Various types of software testing by kostcare | London | WaterlooVarious types of software testing by kostcare | London | Waterloo
Various types of software testing by kostcare | London | WaterlooKostCare
 
White box black box & gray box testing
White box black box & gray box testingWhite box black box & gray box testing
White box black box & gray box testingHimanshu
 
Software testing methods
Software testing methodsSoftware testing methods
Software testing methodsHoma Pourmohammadi
 
Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh tapsi sharma
 
BLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptxBLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptxMohammadShahjalalKha
 
Company Profile
Company ProfileCompany Profile
Company ProfileArslan Awan
 
Introduction to White box testing
Introduction to White box testingIntroduction to White box testing
Introduction to White box testingAliaa Monier Ismaail
 
White box testing
White box testing White box testing
White box testing Mani Kanth
 
Software testing
Software testingSoftware testing
Software testingGuru Janbheshver University, Hisar
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentalsAbdul Basit
 
White box testing
White box testingWhite box testing
White box testingNeethu Tressa
 
Black box testing
Black box testingBlack box testing
Black box testingNakul Sharma
 
Unit 4 testing
Unit 4 testingUnit 4 testing
Unit 4 testingTharuniDiddekunta
 
testing strategies and tactics
testing strategies and tactics testing strategies and tactics
testing strategies and tacticsPreeti Mishra
 
unittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx documentunittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx documentAkshayaM79
 
c
cc
cRishav Upreti
 
UNIT TESTING.pptx
UNIT TESTING.pptxUNIT TESTING.pptx
UNIT TESTING.pptxDrTThendralCompSci
 
Software testing
Software testingSoftware testing
Software testingnidhip216
 
Testing strategies,techniques & test case SE
Testing strategies,techniques & test case SETesting strategies,techniques & test case SE
Testing strategies,techniques & test case SEMeet1020
 
An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing BugRaptors
 
Testing Plan
Testing PlanTesting Plan
Testing PlanAjeng Savitri
 
White-box testing.pptx
White-box testing.pptxWhite-box testing.pptx
White-box testing.pptxhalaalz3by
 
Software Security
Software SecuritySoftware Security
Software SecurityIntegral university, India
 
Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5KrishnaVeni451953
 
Guidelines principle and theories in UID
Guidelines principle and theories in UIDGuidelines principle and theories in UID
Guidelines principle and theories in UIDKrishnaVeni451953
 

More Related Content

Similar to black-box testing is a type of software testing in which the tester is not concerned with the internal knowledge or implementation details of the software

Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh tapsi sharma
 
BLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptxBLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptxMohammadShahjalalKha
 
White box testing
White box testing White box testing
White box testing Mani Kanth
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentalsAbdul Basit
 
testing strategies and tactics
testing strategies and tactics testing strategies and tactics
testing strategies and tacticsPreeti Mishra
 
unittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx documentunittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx documentAkshayaM79
 
Software testing
Software testingSoftware testing
Software testingnidhip216
 
Testing strategies,techniques & test case SE
Testing strategies,techniques & test case SETesting strategies,techniques & test case SE
Testing strategies,techniques & test case SEMeet1020
 
An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing BugRaptors
 
White-box testing.pptx
White-box testing.pptxWhite-box testing.pptx
White-box testing.pptxhalaalz3by
 

Similar to black-box testing is a type of software testing in which the tester is not concerned with the internal knowledge or implementation details of the software (20)

Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh Software, Security, manual testing training in Chandigarh
Software, Security, manual testing training in Chandigarh
 
BLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptxBLACK BOX & WHITE BOX TESTING.pptx
BLACK BOX & WHITE BOX TESTING.pptx
 
Company Profile
Company ProfileCompany Profile
Company Profile
 
Introduction to White box testing
Introduction to White box testingIntroduction to White box testing
Introduction to White box testing
 
White box testing
White box testing White box testing
White box testing
 
Software testing
Software testingSoftware testing
Software testing
 
Testing fundamentals
Testing fundamentalsTesting fundamentals
Testing fundamentals
 
White box testing
White box testingWhite box testing
White box testing
 
Black box testing
Black box testingBlack box testing
Black box testing
 
Unit 4 testing
Unit 4 testingUnit 4 testing
Unit 4 testing
 
testing strategies and tactics
testing strategies and tactics testing strategies and tactics
testing strategies and tactics
 
unittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx documentunittesting-190620114546 (1).pptx document
unittesting-190620114546 (1).pptx document
 
c
cc
c
 
UNIT TESTING.pptx
UNIT TESTING.pptxUNIT TESTING.pptx
UNIT TESTING.pptx
 
Software testing
Software testingSoftware testing
Software testing
 
Testing strategies,techniques & test case SE
Testing strategies,techniques & test case SETesting strategies,techniques & test case SE
Testing strategies,techniques & test case SE
 
An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing An Insight into the Black Box and White Box Software Testing
An Insight into the Black Box and White Box Software Testing
 
Testing Plan
Testing PlanTesting Plan
Testing Plan
 
White-box testing.pptx
White-box testing.pptxWhite-box testing.pptx
White-box testing.pptx
 
Software Security
Software SecuritySoftware Security
Software Security
 

More from KrishnaVeni451953

Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5KrishnaVeni451953
 
Guidelines principle and theories in UID
Guidelines principle and theories in UIDGuidelines principle and theories in UID
Guidelines principle and theories in UIDKrishnaVeni451953
 
Alpha-beta pruning can be applied at any depth of a tree
Alpha-beta pruning can be applied at any depth of a treeAlpha-beta pruning can be applied at any depth of a tree
Alpha-beta pruning can be applied at any depth of a treeKrishnaVeni451953
 
Problem Solving Agents decide what to do by finding a sequence of actions tha...
Problem Solving Agents decide what to do by finding a sequence of actions tha...Problem Solving Agents decide what to do by finding a sequence of actions tha...
Problem Solving Agents decide what to do by finding a sequence of actions tha...KrishnaVeni451953
 
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPER
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPERCCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPER
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPERKrishnaVeni451953
 
A slide share pig in CCS334 for big data analytics
A slide share pig in CCS334 for big data analyticsA slide share pig in CCS334 for big data analytics
A slide share pig in CCS334 for big data analyticsKrishnaVeni451953
 

More from KrishnaVeni451953 (6)

Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5Design and Evaluation techniques unit 5
Design and Evaluation techniques unit 5
 
Guidelines principle and theories in UID
Guidelines principle and theories in UIDGuidelines principle and theories in UID
Guidelines principle and theories in UID
 
Alpha-beta pruning can be applied at any depth of a tree
Alpha-beta pruning can be applied at any depth of a treeAlpha-beta pruning can be applied at any depth of a tree
Alpha-beta pruning can be applied at any depth of a tree
 
Problem Solving Agents decide what to do by finding a sequence of actions tha...
Problem Solving Agents decide what to do by finding a sequence of actions tha...Problem Solving Agents decide what to do by finding a sequence of actions tha...
Problem Solving Agents decide what to do by finding a sequence of actions tha...
 
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPER
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPERCCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPER
CCS334 BIG DATA ANALYTICS UNIT 5 PPT ELECTIVE PAPER
 
A slide share pig in CCS334 for big data analytics
A slide share pig in CCS334 for big data analyticsA slide share pig in CCS334 for big data analytics
A slide share pig in CCS334 for big data analytics
 

Recently uploaded

VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 

Recently uploaded (20)

VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 

black-box testing is a type of software testing in which the tester is not concerned with the internal knowledge or implementation details of the software

  • 1. SHADES OF ANALYSIS 1. WHITE BOX TESTING 2. BLACK BOX TESTING 3. GREY BOX TESTING
  • 2. WHITE BOX TESTING • White box testing, also known as glass box testing, clear box testing, or structural testing, • It is a software testing technique where the internal structure, design, and implementation of the software under test are examined. • In white box testing, testers have access to the source code and are able to design test cases based on the internal logic of the application.
  • 3. • In the security world, this can also be thought of as an insider attack. • The tester has access to the source code and design documentation. This allows the tester to be efficient. • He can threat-model the system or do a line-by-line code review, looking for information to guide the selection of test data. • White box testing is the most efficient way to find security vulnerabilities. More information allows quicker and more complete generation of interfaces to test. • It also gives you an accurate picture of the system’s security because it doesn’t rely on security by obscurity, which is the hope that attackers will never discover information about how a system works. • Security by obscurity is not real security. You should always assume that eventually all information about a system will be discovered or
  • 4. • A well-designed and well-implemented system will still be secure. This is why good crypto algorithms can be published for review. They don’t rely on privacy for security. • “Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling,” described a process for working with architects and component owners to determine the software’s design. • That process should be followed before any white box testing takes place. Doing so will uncover the software’s attack surface and will show you what functionality was put in place to mitigate the risks that the attack surface poses. White box testing tests these mitigations.
  • 5. • A sample mitigation is the security mechanism put in place to counter the threat of inadequate randomness in a session identifier. • After this mitigation is discovered through the threat-modeling process, the security tester can inspect the code that generates the session identifier. • This usually is not enough because small mistakes that can be difficult to determine by inspecting the code can cause the randomness to be weak and vulnerable. • A white box test would be to automate the process of creating a new session and to record the session identifiers that are generated. These identifiers can then be subjected to a mathematical analysis to see if they are truly random.
  • 6. Key aspects of white box testing include: • Understanding of Internal Logic • Code Coverage • Test Case Design • Knowledge of Programming Languages • Unit Testing • Integration Testing
  • 7. Benefits: White box testing can uncover hidden errors, ensure comprehensive test coverage, and help improve the quality and reliability of the software. Challenges: White box testing requires detailed knowledge of the internal implementation, which may not always be feasible or practical. Additionally, changes to the code may necessitate updates to the test cases, making maintenance challenging.
  • 8. Black box testing • Black box testing is a software testing technique where the internal structure, design, and implementation of the software under test are not known to the tester. • Instead, the tester interacts with the software as an end-user would, focusing on testing the functionality and behavior of the system without knowledge of its internal workings.
  • 9. • Black box testing involves examining the system as an outsider would, using tools to detect the attack surface and probe the system for internal information. • With no internal knowledge of the system, the tester builds an understanding of the system. • Information leakage is especially important to the black box tester because it helps him build more understanding than he would otherwise get by manipulating a leak-free program. • Many testers swear by black boxing techniques to complement white box testing. If too much emphasis is given to specifications and design documentation, the tester may miss parts of the system that were built incorrectly or were not included in the documentation.
  • 10. • This out-of-spec functionality may harbor security flaws that must be discovered. • Black box testing lets the tester probe all of the attack surface and generate test data for functionality that may not be in the design. • A common mistake is not removing debug-only commands before production. Another is to throw in last-minute functionality that is not properly documented in the design. • Black box testing can find flaws in these cases that would otherwise go unnoticed by the white box tester. • Black box testing can be used when a system is deliberately using security by obscurity to help protect information, as is often the case in digital rights management (DRM) systems.
  • 11. • Software-only DRM is impossible to completely secure because the attacker has control of the system where the DRM software is executing. • The best a DRM manufacturer can hope for is to raise the bar for a successful attack so high that a would-be attacker gives up. • Black box testing by a skilled reverse-engineering team is often used to test the strength of the obscurity used. • This typically requires expertise outside the norm for a quality assurance team and can be expensive. However, for DRM systems, it is necessary to demonstrate the efficacy of the obfuscation used.
  • 12. Key aspects of black box testing include: • Independence from Internal Implementation • Test Case Design • Functional Testing- validating the system against the functional specification and requirements • Boundary Value Analysis-testing the values at extreme boundaries of input domain • User-Centric Perspective • Regression Testing-process of testing the modified parts of the code
  • 13. Benefits: Black box testing provides an unbiased assessment of the software's functionality, regardless of its internal implementation. It helps uncover defects and ensures that the software meets the specified requirements and user expectations. Challenges: Black box testing may not uncover certain types of defects related to the internal logic or implementation of the software. Additionally, designing comprehensive test cases without knowledge of the internal structure can be challenging.
  • 14. GREY BOX TESTING • Grey box testing in software security involves assessing the security of a system with partial knowledge of its internal workings. • This approach combines elements of both white box and black box testing techniques to identify vulnerabilities and weaknesses in the software from a security standpoint. • Ideally both white box and black box techniques are used during security testing. • White box testing is used to discover flaws in functionality that were specified in the design and development. • Black box testing is used to discover flaws without having access to these application internals. Sometimes this combination is called gray box testing.
  • 15. • The application security tester typically performs gray box testing to find vulnerabilities in software. Flaws due to design and flaws due to unspecified functionality are equally important to discover. Because the source code is available to the security tester, it should be used to improve productivity. • Running the software under test in a debugger is the perfect way to meld a running black box test with the source code to give the tester the advantage of the gray box. • In the Windows world, Microsoft Developer Studio is typically the debugger of choice if debug symbols and source code are available. • It allows the tester to navigate easily through the stack and memory to explore complex variables such as classes and structures. • In the UNIX world, gdb is typically used for this purpose.
  • 16. • As soon as the software is running in the debugger, the normal tools of black box testing can be brought to bear on the executing program. Fuzzers or automated regression suites are typically deployed for this. • The tester can set break points on lines of code that are dangerous to see if they can be reached with external input to the program. • These dangerous lines of code can be discovered with a code review or simply by greping or searching the code. • An example of a dangerous code is a sprintf statement in a C program that has a %s in the format string. • If the source buffer that is copied to the destination buffer is too large, a buffer overflow condition occurs. But not every sprintf statement with this condition can be exploited. Gray box testing lets you find the lines of code that are truly exploitable.
  • 18. • The preceding might be an exploitable problem, but sometimes you cannot easily determine from source code if that is true. • The path user input takes to get to the input variable can be complex. A break point can be set on this and any other similar lines of code. • Then the fuzzer or another automated test can be run to see if any of the break points are hit. • If a break point is hit, the stack can be inspected to see what the control flow was to reach that point and if any validation is placed on the input. • If there isn’t, the test input can be manipulated to determine if the vulnerable line of code can be reached with data that causes an exploitable condition.
  • 19. • If issues are discovered during the development of the code, it is almost always a good idea to just fix the potentially exploitable code. • But many development teams are loathe to fix issues that might be a problem in code that has already shipped to the customer or that was put into production due to the patching cost. • A gray box approach to finding vulnerabilities gives critical exploitability information to the development team. • This helps them make an informed decision about fixing a potential vulnerability in the code.
  • 20. Setting Up a Lab for Testing • A dedicated lab with the appropriate hardware and software tools is essential for efficient security testing. Many of these tools are open- source, so you can use them as a starting point for building customer clients. • VMware or other virtualization programs should be used to have standard installations of operating systems available. • A file server can store images. This way, the OS can be brought to a known good state.
  • 21. • It is possible through fuzzing and other automated testing to corrupt configuration files, the Windows Registry, or even system binaries. • If this happens, you don’t want to suffer through a full reinstall. • A quick refresh with a saved VMware image can return you to the state you need to be in to continue testing. Fuzzers Open-Source • SPIKE (fuzzer framework with some prebuild protocol fuzzers) • Peachfuzz (another fuzzer framework) • Mangle (HTML fuzzer) • FileFuzz (file fuzzer) Commercial • beStorm • Codenomicon
  • 22. Sniffers Open-Source • tcpdump • Ethereal (probably the only one you will need) • Snort (an intrusion detection system [IDS] that can be used as a sniffer) • Dsniff (a collection of tools that can sniff on a switched network) Commercial • AeroPeek • EtherPeak • Agilent Network Analyzer • Network General Sniffer (the original packet sniffer)
  • 23. Debuggers Open-Source • gdb • Shareware • OllyDbg Commercial • Microsoft Developer Studio • SoftIce
  • 24. Hardware • Obviously you need hardware that meets the requirements for the software to be tested. This may mean having Intel x86, PowerPC, or SPARC systems available. • Auditor (collection of security tools) • BackTrack (a combination of WHAX and Auditor) • Knoppix (large generic bootable CD) Commercial Testing Appliances • Mu-4000 Security Analyzer • Spirent ThreatEx