Denim Group has been acquired by Coalfire. Learn More>>

Black Box Testing vs. White Box Testing?

Black box testing is automated application security testing that views the security state of an application from the outside looking in. In this way, it mirrors the perspective of an outside attacker and infers that certain vulnerabilities exist by sending inputs to an application and analyzing outputs. It does not involve review of application source code.

White box testing involves reviewing application source code to determine the difference between what security was designed in the system and what was built. This typically complements  an architectural design review to identify non-code problems.

Black Box Testing


  • Well understood by security professionals
  • Measures security state of environment in which application resides
  • Can quantify security risks of third-party components or other resources outside the application


  • Results tell you what vulnerabilities exist, not how or why they exist
  • Can only test the attack surface they identify
  • May be additional endpoints with vulnerabilities
  • Provides less input for remediation

White Box Testing


  • Identifies exactly where vulnerabilities exist and why/how they occurred
  • Tells you definitively whether code design is implemented in source code
  • Easier to begin remediation because the exact location of the vulnerabilities has been identified


  • Potentially can generate a large number of false positives (“noise”) if source code analyzer is not tuned well
  • Provides less feedback on environmental components that affect the security of an application
  • Likely the sole domain of developers-security staff are less trained to interpret results
  • Sometimes hard to identify context

Leave a Reply

Your email address will not be published. Required fields are marked *