Whitebox Testing – Avoid Compromises
Whitebox Testing is a methodology known by many names: Pen Test – Penetration Test – Structural and/or Glass Box Testing: To mention a few! Whitebox Testing is not new by any means. Even so, it is a relatively recent arrival to the business world on the whole.
Whitebox Testing is said to have been pioneered by Donie Barnes and certainly his name has become synonymous with it. He was simply exploring how his company’s software could be defended against the threat of black-box testing. Today, whitebox testing is a commercial mechanism and is seen by many as a cost effective alternative to black box testing.
From Black Box to White Box
The term black box testing is a throw back to the days of virus ridden networks and dreaded worms. Back in the day, business IT departments would set up a PC and hook it up to the company’s telephone system and would ask IT staff to wipe their customer’s hard drive!
But today, having a system that is both black box and able to switch off the company desktop system and install a new one is a lot better. IT departments can also easily incorporate office blue screen tests, for example, which allow the IT staff to see, in a live virtual environment, what the consequences would be if confidential information was leaked.
Black box testing is not the only methodology that can be used for penetration testing. White box testing is also prevalent. The idea is basically to test the consequences of a security breach without having to hook up actual hardware to evaluate the potential fallout. Companies either accept the risk that the data be leaked or assume no risk by performing a damage control check and saving funds in the process.
White box Testing is very different from black box Testing. The old terms were not exactly switched; instead, a number of software companies simply switched to a more neutral term, “weuration testing.” The point is, however, that even a blind box cannot protect a person in a world of virtualization and sophisticated reverse engineering tools.
Reverse engineering + Whitebox Testing= Risk
Reverse engineering, the art of analyzing what a system contains, including technical aspects and compliance to best practices, is becoming a complex, even complex enough that many coders and designers are bypassing the process and going straight to the coding or design stage of the project.
Developers and designers now have toolbars across many different packages that allow them to view code, change it, and inspect it. They then think they are doing their job when they are actually just looking for a chance to cause trouble. Roaming around and dropping a bomb on a company’s virtual offices is probably the least of their worries.
So what happens next? Unfortunately, many times, nothing at all. Most times, the real culprits are senior management, who seem to really have forgotten how to be human. These people need to be educated on the dangers and consequences of their actions, day and night. They need to realize that something terrible might happen if they don’t do something about it immediately.
How to Fight Back
Thankfully, there are some very effective ways to fight back. First, and most important, is to make sure that you have a good security program in place. Make sure that it is not a patchwork quilt that has no teeth. Create security guidelines and rules and have those rules and guidelines enshrined in a contract with yourself.
If you can’t afford the time or money to do this yourself, then your organization might be losing money and valuable time. You might have to fire the employee(s) involved and assign the task to another employee so that this never happens again.
Next, if the company is large, it’s probably a good idea to hire a consultant to inspect the security position. Your company might be losing money, or might even fire the wrong people who are meant to prevent such a disaster from happening again. You can avoid all such problems by getting the right advice.
In addition, you should set up systems that will allow you to limit the access to those who really need it. Some companies make it easy to add employees to their overall payroll by allowing them access to only certain areas of the company. This reduces the likelihood that employees will go to unauthorized sites, and reduces the potential for fraud among your own employees.
Creating the right environment can be as easy as creating a document that lays out all of the expectations and has directions as to what people should and should not be able to do. They should know that failure to meet these expectations will cause you to take action.