Sunday, 31 December 2006

Pen Testing Methodologies

There are three methodologies that are used by Penetration Testers. The methodology is usually selected by the client depending on their requirements. The three methodologies are:

White Box Model
Black Box Model
Grey Box Model

With the White Box Model the Pen Tester is given details of the technology in use by the company, the network topology etc. and given permission to interview and liaise with the employees and IT staff.

The Black Box Model is the exact opposite, the tester is usually given no information other than the name of the company, and the staff of the company are not even told that the Pen Tests are being conducted.

The Grey Box Model is a hybrid of the two previous models, some information will be given to the Pen Tester but not a lot. This will depend on the client as to what information they wish to give.

"So, let us not be blind to our differences - but let us also direct attention to our common interests and to the means by which those differences can be resolved." - John F Kennedy

No comments: