The Case for Cooperation between White-Box and Black-Box Test Tools


The most complete method of ensuring code coverage in Web applications would be to use a hybrid white-box/black-box analysis tool. This approach is sometimes referred to as gray-box testing.  Tray-box testing usually implies that the tester does not have complete access to the source code of the application, though. In this case, however, the hybrid tool will have complete access to the source and, ultimately, will perform both a complete white-box and a complete black-box analysis. Additionally, instead of just running each method independently, the tool will apply both techniques in cooperation with each other. First, the white-box component executes, finding defects in the code and compiling a complete list of the site pages and execution cases (like the leap-day exception). After it finishes, the white-box component passes this list to the black-box component, which ensures that each page and execution case in the list is thoroughly scanned.

In this way, the strength of each type of tool is used to overcome the other's weakness. The cooperation between the separate components is the key that makes code coverage more complete. Hopefully the white-box and black-box analysis camps will take inspiration from the peanut butter cup and start working together to create more reliable and more trustworthy Web-application analysis tools.

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!