White-box testing goes by several different names, including clear-box, open-box, auxiliary and logic-driven testing. It falls on the opposite end of the spectrum from black-box testing, and pen-testers are given full access to the source code, architecture documentation, and so forth. The main challenge with white-box testing is sifting through the massive amount of data available to identify potential points of weakness, making it the most time-consuming type of pen-testing.

Unlike black-box and grey-box testing, white-box pen-testers can perform static code analysis, making familiarity with source code analysers, debuggers and similar tools important for this type of testing. However, dynamic analysis tools and techniques are also important for white-box testers since the static analysis can miss vulnerabilities introduced by misconfiguration of target systems.

White-box pen-testing provides a comprehensive assessment of both internal and external vulnerabilities, making it the best choice for calculation testing. The close relationship between white-box pen-testers and developers provides a high level of system knowledge but may affect tester’s behaviours, since they operate based on knowledge not available to hackers.