Penetration Testing mailing list archives
RE: White Box Testing
From: admin () systemstates net
Date: Sun, 06 Jul 2008 00:42:35 -0700
Yousif () Vapt-Sec com wrote:
Let's say a client wants an internal assessment. In this example, perhaps they don't want to securely send code or files to be reviewed and secured. More than one person is on the job, how can we do this remotely in real-time in any other way with full control of the system if there's more than person? -- What software exactly?
Not quite sure what you mean, but a "white box" test is one with full information. If they don't let you have access to the source code somehow, then it's not a white box test. For the latter, doesn't matter if they send you a copy, or if you log into a server of theirs which has the source code set up. On the other hand you could do an internal test - in a sense - which was not a white box test, if they want you to test from inside their firewall. Shouldn't be any problems for more than one person to review how the system works, but if you're going to try to break it you need to exactly how much disruption your client is prepared to put up with. And make sure you are starting with a contract which explicitly states what you're going to do. cheers, -- www.systemstates.net - penetration test / IDS / incident response ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- White Box Testing Yousif (Jul 05)
- Re: White Box Testing Joel Jose (Jul 07)
- <Possible follow-ups>
- RE: White Box Testing admin (Jul 07)