Testing Methods

Black Box

Penetration tests based on the Black Box method are essentially a simulation of attempted penetrations that are as authentic as possible. These tests are carried out without prior knowledge of the specialists performing the tests about the system being evaluated – with regard to both the infrastructure protecting the application, the application itself and its source code.
BugSec's experts carry out the tests as "hackers"; therefore, many professionals in the field of information security regard this method as the one most realistically indicating the level of risk faced by the organization's data bases and applications.


White Box

As opposed to the previous testing method, tests performed in accordance with the White Box method are carried out when the experts performing the tests are familiar with the internal characteristics of the system under evaluation – from both application and infrastructure aspects.
These tests are extremely broad in scope and highly effective; BugSec's experts become aware of each vulnerability and exposure existing in the systems, since it is fully spread before them in the most transparent manner, including the application code.
BugSec usually recommends the performance of these tests after prior tests based on the Black Box method are completed, in order to provide the capacity to grade the level of severity and risk, and devise a well thought out repair plan, including the chronological order in which the various repairs should be made.


Gray Box

Tests performed according to the Gray Box method combine both the White Box and the Black Box methods, allowing the organization to choose which data to provide the experts conducting the tests with – in order to commence testing with the best starting point, based on different bits of information concerning the network and the application. Some experts regard this method as the most legitimate, since many hackers are exposed to a great deal of information about the infrastructures of the organization they are attempting to attack anyway, from economic/ technological publications, and from sales data they manage to acquire.


Additionally, in many cases, the organization is interested in exposing only partial information; tests performed according to the Gray Box method will meet this preference.


Code Review

Application code review enables to find all the information security problems in a comprehensive and accurate manner.  By reviewing the code of functions and objects, the specialist performing the test can identify information security deficiencies and locate problems that are more difficult to identify when carrying out regular penetration tests.


BugSec's experts have performed a large number of code reviews in Web environments, cellular device applications, server/client applications, Gateway applications – for screening content, etc.


Code reviews comprise a layer in the White Box testing method – which expose the system code to BugSec's experts who are performing the test. Code review services may save the organization a great deal of money at the later stages, since the provision of professional support by an information security expert during the writing of the application, and scanning the code during the early stages, will lead to the precise identification of information security deficiencies in the writing, which are much easier to repair during the early stage of development, rather than in later stages – when which modifications are ten times higher than those made in the early stages, as revealed by researchers.