what is the difference between white and black box testing?
white box: all manufacturers knowledge available
black box: no insider knowledge
why should you test?
to uncover security-related defects
what techniques to test are there?
- creation of input, edge cases, sequence of events
- modification of execution environment
what are the levels of vulnerability analysis
- survey
- analysis
- focused analysis
- methodical analysis
- advanced methodical analysis
what is done in a vulnerability survey?
- survey of public information to determine vulnerabilites in a product
- only vulnerabilites that are known and easy to find
- perform own tests assuming basic attack potential
what is done in a vulnerability analysis?
- Requires functional specification for security mechanisms
- Evaluator performs own tests assuming Basic attack potential
how much time does vulnerability analysis consume?
In evaluationsoften50% ofeffort
what is done in focused vulnerability analysis?
- Requires sourcecode at least for security
mechanisms
-Evaluator performs own tests assuming Enhanced-Basic attack potential
what is done in methodical vulnerability analysis?
- Same prerequisites as focused vulnerability analysis
- Evaluator performs own tests assuming Moderate attack potential
what is done in advanced methodical vulnerability analysis?
-Evaluator performs own tests assuming High attack potential
