Staying Safe in Times of Cyber Uncertainty

What is Black Box Testing?

Black box testing, a form of testing that is performed with no knowledge of a system’s internals, can be carried out to evaluate the functionality, security, performance, and other aspects of an application. Dynamic code analysis is an example of automated black box security testing. Black box evaluators define test cases and interact with the software like a user would to validate that it does what it should, how it should.

Learn more

What is Black Box Testing?

Types Of Black Box Testing

Black box testing is a methodology of performing tests. These tests can be designed to accomplish a few different goals, including:

  • Functional Testing: Functional testing is intended to validate that an application does what it is supposed to do. For example, functional tests may test an application’s authentication mechanism to check that legitimate users can authenticate successfully while invalid login attempts are rejected. Common types of functional testing include sanity checks, integration testing, and system testing.
  • Non-Functional Testing: Non-functional testing evaluates how well an application performs its core functions. Examples of tests include performance, usability, scalability, and security testing.
  • Regression Testing: Regression testing is designed to ensure that a change to an application does not break functionality. For example, regression testing should be performed after patching a vulnerability in an application to ensure the patch has not caused the application to fail functional or non-functional tests.

Black Box Testing Techniques

With no internal knowledge of an application, structure is important to ensure that the test covers all necessary cases. Some common techniques for performing a black box evaluation include:

  • Equivalence Class Testing: An application may follow the same control flow for certain types of inputs. For example, an application that should only be accessible to adults may terminate if a user enters an age under 18 or a tool with a limited service area may terminate for country or postal codes outside of that area. With equivalence class testing, testers identify these classes that produce the same results and only test for one value within that class.
  • Boundary Value Evaluation: Boundary values are inputs where an application’s changes from one control flow to another. For example, the ages 17 and 18 are boundary values for adulthood since a 17 year old may be rejected by an application, while an 18 year old would be accepted. Boundary value evaluation tests these inputs to ensure that the system is properly handling these edge cases.
  • Decision Table Testing: An application may be designed to make decisions based on a combination of inputs. For example, users over the age of 18 and living within a particular area may be able to access an application. Decision table testing involves enumerating each combination of inputs and its expected outcomes and developing a test case to validate each combination.
  • State Transition Evaluation: An application may be designed to change state under certain conditions, such as locking a user’s account after a certain number of failed authentication attempts. State transition evaluation involves identifying these situations and developing test cases to validate them.
  • Error Checking: This form of evaluation tests for common errors that a developer may have made when creating an application. This often revolves around input sanitization and ensuring that assumptions about an input are enforced. For example, testers may check to see if developers properly handled an input of zero in a numeric field or restricted the character set for a name to the letters and symbols that can appear in a name.

Black Box vs White Box Testing

While black box testing is named for the fact that the tester has no internal knowledge of the application (i.e. it’s a “black box”), a white box evaluation takes the opposite approach. Some of the key differences between black box and white box testing include:

  • Black Box Testing: The tester interacts with the application and attempts to validate that an application meets functional and non-functional requirements and specifications. The lack of internal knowledge can make these tests more time-consuming and may cause vulnerabilities in unvisited code paths to go undetected. However, it has the advantage of being language and platform-agnostic.
  • White Box Testing: As opposed to black box testing, white box evaluations are performed with full knowledge of an application’s internals, including access to the source code. White box testing offers better test coverage than black box testing since all code can be evaluated. However, it requires expertise with the language in which the code was developed.

Black box and white box testing represent two extremes in how testing can be performed. Gray box testing falls in between. In a gray box evaluation, the tester has partial knowledge of the system’s internals, which can help to guide the evaluation.  Runtime application self-protection (RASP) is a security tool that falls into the gray box testing category.

Black Box Security Testing with Check Point

Check Point Professional Services offers a range of Cybersecurity Resilience/Penetration Testing services. This includes black box, gray box, and whitebox security assessments.

Learn more about Check Point’s professional testing services. You’re also welcome to contact us to learn how we can help to identify and correct security issues within your organization.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK