an Ajax-enabled, unlinked administrator portal? Using two tools won't help in this situation, since the white-box tool will find the portal but not be able to test it and the black-box tool won't be able to find the portal at all. This is not as uncommon a scenario as it might seem, especially given the exponential growth of interest in Ajax.
The most complete method of ensuring code coverage in Web applications would be to use a hybrid white-box/black-box analysis tool. Sometimes this approach is called "gray-box" testing, but gray-box testing usually implies that the tester does not have complete access to the source code of the application. In this case, however, the hybrid tool will have complete access to the source and will perform both a complete white-box and a complete black-box analysis. Additionally, instead of just running each method independently, the tool will apply both techniques in cooperation with each other. First, the white-box component executes, finding defects in the code and compiling a complete list of the site pages and execution cases (like the leap-day exception). After it finishes, the white-box component passes this list to the black-box component, which ensures that each page and execution case in the list is thoroughly scanned.
In this way, the strength of each type of tool is used to overcome the other's weakness. The cooperation between the separate components is the key that makes code coverage more complete. Hopefully, the white-box and black-box analysis camps will take inspiration from the peanut butter cup and start working together to create more reliable and more trustworthy Web-application analysis tools.
Pages
About the author
Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.
