There are three main penetration testing methods, each with a varying level of information provided to the tester before and during the assessment.
#1. Black Box Penetration Testing
A black box test is one where the tester is provided the bare minimum amount of information, such as just the company name. This is best suited for a mature environment where there are already existing processes for vulnerability identification and remediation. A tester will be able to simulate an attacker with limited knowledge of the organization. The downside to this approach is that the tester devotes time to learning the environment. Time that could be spent testing for potential vulnerabilities when this high-level information is provided up front.
#2. Grey Box Penetration Testing
The next step up in providing information is often referred to as a grey box test. Here, the tester is provided with a bit more information, such as specific hosts or networks to target. This can provide a good idea of what a targeted attack may look like, without requiring the tester to spend significant time collecting information.
#3. White Box Penetration Testing
The third type of penetration testing is often referred to as white box testing. This type of testing involves providing the tester with all sorts of internal documentations, configuration plans, etc. By providing this information to the tester, they can spend more time focused on exploiting issues, rather than performing host enumeration and vulnerability scanning. This type of testing can also be used to target specific concerns, such as new features in an application, or new segments of a network. Even with this information sharing, there are still areas the tester may not look, and therefore may not discover every exploitable vulnerability.
