|
Executive Summary
CISOs, Information security managers, quality assurance staff, and developers alike are faced with the enormous responsibility of keeping Web applications secure from the ever growing menace of hackers and internal threats alike. Newly surfacing threats are overwhelming information security teams. With Web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking.
How can information security personnel protect sensitive data – and ultimately, the corporate reputation – without exhausting internal resources, overspending the budget or being forced to use costly manual penetration testing using external consulting firms?
Security teams are dealing with this ominous challenge with a myriad of solutions, some highly ineffective. However, as the market matures, companies are applying somewhat effective, but not complete solutions like white box testing tools. Ultimately the challenges of architecture, API usage, and integration prevent white box testing tools from having a truly direct impact on the overall security of an application. It’s critical to understand that white box analysis tools do not directly find all the risks inherent in applications—period.
This paper explores the role of white box vs. black box testing. White box testing technologies have a definite but limited use and value. From a Web application security perspective it must be understood that significant blind spots come with white box testing. Ultimately white box testing is not sufficient to secure your applications: simply put organizations that rely solely on white box technologies will be exposed to vulnerabilities in their applications, thus making it an ineffectual method of testing real-world risks. This paper will demonstrate black box or dynamic testing is ultimately the appropriate solution for “truly” securing Web applications.
|
