Go back to overview

Penetration Testing Explained: Black, Grey, or White Box?

4 February 2021

When it comes to cybersecurity and penetration testing, there’s a lot of jargon to navigate. In particular, the types of penetration testing are often broken up into ‘boxes’. Commonly, these are Black, Grey, and White Box.
What do they mean? What do they involve and entail? Cyrex is here to help pull the curtain back and show what’s involved with our own penetration testing services.

Penetration Testing

Firstly, for those who may not know, penetration testing is the service of security engineers testing your application’s security. They try to penetrate the security you have in place and show you their results. Simply put, it’s just a test of how good your walls are against those trying to breach them. The advantages of such a test are huge, allowing a company to see where their digital weakness may be. Without a proper penetration test, you are likely at serious risk of a breach. Breaches such as this can compromise your users and their data. It will likely inflict financial losses as well as damage to your reputation.

Penetration testing is a part of Cyrex’ core security services and we offer black box, grey box, and white box packages. Let’s break those down.

Black Box

This is effectively a test from a real-world perspective. Our security engineers go in with no intelligence regarding your application’s security, technical stack, documentation, or functionality. It is simply a link to your application, and we try to break into it!

This is by far the most realistic attempt at hacking on our part. With no prior knowledge, our engineers are looking for vulnerabilities to exploit, discovering how dangerous they may be to your application. The reconnaissance phase will take much longer as we discover how your application works and runs. This is a necessity because we can’t really hack into your system before we know how it works.

Overall, we only recommend this as a reality check. Without knowledge, we can only test what we find. And we don’t want to leave a company hanging for weeks on end as we push and pry every angle. That’s inefficient for everyone involved. Real world hackers will be attempting it like this and have all the time in the world. But we have to keep on schedule, and we don’t like leaving vulnerabilities open.

White Box

We’re skipping next to the direct opposite of Black Box testing. This is instead a full-on exchange from your side to ours. This would be our best and most in-depth testing service.

You tell us everything, including providing the source code itself. With the API functionality, technical stack, full documentation, and coding language, we have a full complement to work with. Like this, we can not only test the security of your system as ethical hackers, but we can also look for issues and validate your app on a programming level. We can identify issues on the coding level and clear them up.

Sharing source code, however, may be a no go. While we take every measure to protect your code, the trepidation is fully understood.

Grey Box

Grey box testing is by far the most popular and, with White Box, comes most recommended of our penetration testing services. It works as the best entry-level service for penetration testing.

This is a great middle-ground for both sides – an exchange of partial documentation. We get mostly the base details and, more importantly, the APIs and the functionalities. We also know how many endpoints need to be tested. This is where Black Box can often fall short. With this detail in hand, we can not only test your application to its full extent, but we are also able to provide an accurate quote for the testing.

With the most important information in hand and no extra time needed on reconnaissance, we are able to head straight into the testing phase. Our security engineers, using pair hacking, will test your application’s security fully and comprehensively.

For us, and our clients, this service goes highly recommended.

Pair Hacking

For Cyrex’ penetration testing and many other of our security services, we utilise the previously mentioned above - pair hacking. When we get to work to ethically hack a system, we assign no fewer than two security engineers. Many other security companies will simply assign a solo engineer per test.

At Cyrex, we work in the ethical hacking mentality. We understand the industry as professionals, but we approach our work in hacking as those outside the industry do.

Hackers don’t work alone; they work in communities and groups. So, to simulate their behaviour, and to maximise our efficiency – we utilise pair hacking. In this way, we can think outside the box and beyond the traditional angles. Our pairs and groups can test their quality of work against their peers and validate their findings as well. With more than a single ethical hacker, we can cover every angle and potential injection point. Pair hacking allows us to tackle the same job in half the time.

If a penetration test sounds of interest to your application, you can learn more on our security page here. Or you can get in touch with us directly. If you’d like to see the results of a penetration test, we have anonymised security reports from previous penetration tests available for free here!