What Type of Penetration Test do you Need for your Site?

Along with my whole experience in penetration testing, every time I start a new mission I always ask my clients this question. What type of penetration test do you need me to perform? Therefore, I decided to write a post about it.

The best penetration test type in terms of source code confidentiality, the needed time to perform the tests, and the efficiency of the tests is the gray box pentest.

However, if you want a deeper and advanced analysis of your app or your website code, to find complex vulnerabilities, then a Whitebox penetration test becomes the best choice for you. You may notice that I did not talk about the blackbox penetration test, and this is for a reason that I am going to talk about in the next paragraphs.

By asking this question to many clients, I have noticed that most of them know the types, but they do not know how to decide which one is best for them. Therefore, I have decided to write a blog post where I explain with examples all the types of penetration tests that exist, what are the pros and cons of each one of them, and of course what is the best for each situation you may get in.

Now, if you are in this situation and you want to know which one will fit your need. Therefore, I really encourage you to try to know and understand much more the pros and the cons of each of the types, then and only then, you will be able to take the right decision. So this is what we are going to discuss in the next paragraphs of this article.

Type 1 : Blackbox penetration test pros and cons

For those who are not familiar with these technical words, the Blackbox penetration test is a type of cybersecurity audit where no information about the targeted website apart from the URL is given to the service provider. In this type of penetration test, the pentester tries to get passively as much information as possible about the app he is trying to test first. Then he starts to actively look for vulnerabilities. This first start is the most time-consuming part of the whole penetration test and that is because it is the most important and represents the base of the whole mission. The more information you get about the app the fastest you found vulnerabilities on it.

At first look, this type of penetration test may look like the most realistic type between the three but trust me when I say this … it not. As I said, this type of penetration testing needs to gather as much information as possible about the target, and this gathering needs to be performed without the help of any person. Until here everything is good and this is pretty the same process that needs to be done by someone that wants to hack your website. However, what you may not think about is that the time frame for a real attacker and your penetration tester is not the same at all.

For a bad hacker that wants to hack your website, he has the whole life to find a vulnerability and exploit it. Nevertheless, for a penetration tester, this is not the case. In general, the penetration test mission against a big website takes between 1 week to max 1 month for a very deep and complex website. In addition, the penetration tester would need to spend at least 2/3 of the mission time trying to just understand the app and gather as much information as possible about the app.

Therefore, this is not even close to being a realistic mission. For me, it is a waste of time for the client. The time that the penetration tester loses while trying to understand and gather information about the app needs to be used to identify the real risks.

Now here is something really interesting to know about the blackbox penetration test. Actually, if you take a look at the biggest companies that work in cybersecurity like Google, Facebook, Microsoft … You may notice that they actually work most of the time with the blackbox type (publicly), with what we call bugbounties programs. This is a completely different concept that I may write an article about, but what you need to know is that big companies usually use bugbounties after their solution security hits a certain level of maturity. Simply because at this level of maturity, the cost of performing a gray or white box penetration test becomes very high as the time needed to find only one vulnerability gets high.

The last thing, that I would like to mention here is that the detection rate of vulnerabilities using the blackbox penetration test is always way lower than the other types. This could be due to many factors like a misunderstanding of some collected information, not finding enough information about the app in the time frame he get, or just because for example the user accounts are protected with some very expensive payment pages that the penetration tester could not afford.

Here is a table that summarize a little bit what I have said till now about blackbox pros and cons :

Type 2: Graybox penetration test pros and cons

Now let us talk about one of my favorite types of penetration tests, the Graybox penetration test. Let me first explain what a Graybox penetration test is before we start discussing its pros and cons. A gray box penetration test is sort of the middle solution between giving all your information to the penetration test and not giving anything at all.

In general, in the gray box penetration testing, the service provider only gets some legitimate and possible to get information about the app. He may also make a meeting with your development team to learn more about what the application does and how it works without taking a look at the source code.

Offering this information directly to the penetration tester, reduce considerably the pentest mission time and help him start quickly looking for vulnerabilities. In addition, having this information from the source, ensure that the penetration test does not get into a rabbit hole due to the misunderstanding of some information.

Type 3: Whitebox penetration test pros and cons

The most effective penetration test that a company may perform against their website, is the Whitebox penetration test. In the whitebox penetration test, all the confidential and non-confidential information is given to the penetration tester, including the source code. Actually, the source code is the most important.

Having such an amount of information, give the penetration tester a quick and deeper understanding of the app. However, having all this information does not mean reducing the time of the penetration test. Actually when a penetration tester receives, the source code of the app there is two more jobs that he will need to perform.

The first thing he will need to perform is what we call a Static analysis of the source code. Here he will try to look for vulnerabilities statically without running the app. This phase of the Whitebox penetration test consumes a lot of time and requires an advanced level of skills and knowledge of the used development technologies. However, the vulnerability discovery rate in this first step is very important with near-zero false positive.

The second part of the Whitebox penetration test process is the dynamic analysis. This phase looks like the Graybox penetration test but with a deeper control and knowledge of the app, as here even the host that run the app is under the control of the penetration tester.