White, Grey, and Black Box HACKING methods [How, When, & Why I use each] скачать в хорошем качестве

White, Grey, and Black Box HACKING methods [How, When, & Why I use each]

Security testers use White-Box, Black-Box, and Grey/Gray-Box methods for different purposes during penetration tests and while performing network-layer, application-layer, and a slew of other assessments. Understanding the important differences between each, when to use each method, how they affect testing, and why to use each one is core to a successful test. Knowing the advantages and disadvantages will help your client gets the results they need to become more secure. I got a question on my scoping penetration tests video about the differences between Black-Box, White-Box, and Grey-Box security testing methods. I did my best to cover all the aspects of "What" each is, "How" they affect testing, "When" to perform each, and "Why" use one over another with advantages to each. High-level, the difference is the amount of knowledge and access provided to the tester. Where Black-Box is none, and White-Box is full access to all information. Grey-Box is that squishy term for anything in between. Black-Box: Application-layer example - All you get is the URL. Testers assess applications more Gray-Box since some knowledge and access allows authorization testing between user privileges. Typically, testers start with DAST tools like Burp. Black-Box: Network-layer example - You get nothing. Testers need to find the IP addresses using OSINT. Gray-Box can reduce the cost by saving some cycles by providing IP addresses. If it is a penetration test or vulnerability assessment, testers will be using Nmap and other enumeration tools. White-Box: Application-layer example - Testers get all the source code, libraries, dataflow diagrams, credentials, etc. SAST and other static code analysis tools are your go-to. There is no reason to dynamically fuzz the application for SQLi when you can review the code directly. White-Box App testing is part of any mature CI/CD process. White-Box: Network-layer example - This type of test follows a network audit and not a "hacker-like" engagement. An analyst will use authenticated network scanning with a vulnerability analysis tool like Nessus, Qualys, OpenVAS, etc. Black-Box, White-Box, or Grey-Box: What they are, How they affect testing, When to perform each, and Why conduct one over another. Also, is it grey or gray? Thank you for watching. Please let me know in the comment section if you have any questions. 👉 Subscribe to the channel -    / @alexchaveriat   🌏 Keep in touch: Twitter:   / alexchaveriat   📷 My YouTube Kit/Gear - https://kit.co/alexchaveriat Timestamps: 0:00 What is this video about? 1:00 What is the difference between white-box, grey-box, and black-box testing methods? 1:52 Examples of each method for the physical, network, and application layer 3:14 How does each method affect testing? 3:19 Application-layer Black-Box 3:40 Application-layer White-Box 4:00 Network-layer Black-Box 4:20 Network-layer White-Box 4:57 Network-layer Grey-Box 5:15 When to use each security testing method 5:18 When to use White-Box for Application Testing 5:30 When to use Black-Box for Application Testing 5:48 When to use White-Box for Network Testing 6:05 When to use Black-Box for Network Testing 6:18 Why use Black-Box vs White-Box vs Grey-Box? 6:31 Why use Black-Box for Network-Layer? 6:59 Why use Black-Box for Application-Layer? 7:07 Why use White-Box for Application-Layer? 7:19 Why use White-Box for Network-Layer? 7:29 Why use Grey-Box for Network-Layer? 7:54 Why use Grey-Box for Application Layer? 8:13 Overall why use White-Box? 8:23 Overall why use Black-Box? 8:29 Advantages of each method 8:31 Advantages of White-Box for Application-Layer 8:38 Advantages of Black-Box for Application-Layer 8:59 Advantages of Black-Box for Network-Layer 9:36 What is the way to determine the appropriate method?