RE: White Box Testing

[admin () systemstates net]

Yousif () Vapt-Sec com wrote: 
> Let's say a client wants an internal assessment. In this 
> example, perhaps they don't want to securely send code or 
> files to be reviewed and secured. More than one person is 
> on the job, how can we do this remotely in real-time in 
> any other way with full control of the system if there's 
> more than person? -- What software exactly?

Not quite sure what you mean, but a "white box" test is one 
with full information. If they don't let you have access to 
the source code somehow, then it's not a white box test. For 
the latter, doesn't matter if they send you a copy, or if you 
log into a server of theirs which has the source code set up.

On the other hand you could do an internal test - in a sense
- which was not a white box test, if they want you to test
from inside their firewall. 

Shouldn't be any problems for more than one person to review 
how the system works, but if you're going to try to break it
you need to exactly how much disruption your client is 
prepared to put up with. And make sure you are starting with
a contract which explicitly states what you're going to do.

cheers,

-- 
www.systemstates.net - penetration test / IDS / incident response




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------