Pentest – What analysis approaches are there?

13. February 2020

Attackers gaining unauthorized access to IT systems and applications has severe consequences for companies. Pentests identify possible gateways hackers could exploit and show ways to sustainably raise the IT security level of a company. This makes pentesting one of the most effective methods of security analyses companies can employ to proactively protect themselves against hacking attacks. The security analyst (pentester) tries to penetrate the IT infrastructure of a company with the same methods and means available to a potential attacker.

Blackbox, Whitebox or Greybox approach?

During a black box pentest, the pentester initially has no or very little information needed to access the target system. This missing information, e.g. about existing protection mechanisms, interface definitions and user accounts, can only be gathered by the pentester during the actual analysis. This test simulates the attack of an external attacker without any insider knowledge.

During a whitebox pentest, however, the pentester has detailed knowledge about the target system (e.g. network plans, interface definitions) and has access to the source code of the applications that are being tested as well as user or administrator rights. Thus, an attack is simulated by persons who had access to the system or who are still active.

The greybox pentest combines the characteristics of the whitebox and blackbox pentest. In this case, the pentester has limited insider knowledge about the target system, such as the IP address including the authorization of a certain user role. This approach simulates a hacker attack with the help of an insider.

What does this mean specifically for performing a pentest?

The the three analysis approaches mainly differ in test precision, scope and time required. In a black box pentest, the pentester does not have all the information about the test object required for the analysis. As a result, they need more time to research this information and have less time left for the actual in-depth test. Thus, some functionalities might remain untested. In particular, provision of the source code to the pentester in a whitebox pentest leads to an immense increase in depth of testing. Although the pentester does not perform a complete code review, they can check the source code to learn how the application behaves with certain inputs.


Please contact us, we will be happy to discuss your options for having your systems checked by our usd HeroLab security analysts.  

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...

Categories

Categories