In a black-box testing assignment, the pen-tester is placed in the role of the average hacker, with no internal knowledge of the target system. Testers are not provided with any architecture diagrams or source code that is not publicly available. A black-box pen-test determines the vulnerabilities in a system that are exploitable from outside the network.
WHY PERFORM BLACK-BOX TESTING?
This means that black-box pen-testing relies on dynamic analysis of currently running programs and systems within the target network. A black-box pen-tester must be familiar with automated scanning tools and methodologies for manual pen-testing. Black-box pen-testers also need to be capable of creating their map of a target network based on their observations since no such diagram is provided to them.
The limited knowledge provided to the pen-tester makes black-box pen-tests the quickest to run since the duration of the assignment largely depends on the tester’s ability to locate and exploit vulnerabilities in the target’s outward-facing services. The major downside of this approach is that if the testers cannot breach the perimeter, any vulnerabilities of internal services remain undiscovered and unpatched.
Unbiased tests because the tester and developer work independently.
Tests will be done from an attackers point of view to identify any risks on the scope tested.
Large numbers of skilled testers can test the application with no knowledge of implementation, programming language, or operating systems.