3 major flaws of the black-box approach to security testing

Imagine a castle with a king who wants to know if he could be assassinated. He orders a loyal noble to send some knights to try to break into the castle. He gives no information to those knights about the castle defenses. After all, the king thinks that what he needs is for them to pretend to be his enemies, and his enemies don’t have any of that information.

This is the black-box approach to security testing, the methodology that people frequently request. Unfortunately, they’re usually unaware of its many drawbacks. In black-box, you don’t tell your security evaluators anything about how the system works. The goal of the methodology is to limit information in an attempt to replicate real-world conditions, but it is flawed. 

A few weeks later, the king is murdered. His enemies found a secret tunnel that the knights didn’t know about and used it to get to the king. The king knew about this secret tunnel; it was his escape route in the event of a siege. But he never told the knights about it. By intentionally limiting information, the king lost his life. 

Yes, this metaphor is a bit whimsical, but it makes clear why a

Read More: https://resources.infosecinstitute.com/topic/3-major-flaws-of-the-black-box-approach-to-security-testing/