There are many benefits to white box testing, including the following:
Analyzing source code and developing tests based on the
implementation details enables testers to find programming errors quickly.
For example, a white box tester looking at the implementation can quickly
uncover a way, say, through an error handling mechanism, to expose secret
data processed by a component. Finding such vulnerabilities through black
box testing require comparatively more effort than found through white box
testing. This increases the productivity of testing effort.
Executing some (hard to set up) black box tests as white box tests
reduces complexity in test setup and execution. For example, to drive a
specific input into a component, buried inside the software, may require
elaborate setup for black box testing but may be done more directly through
white box testing by isolating the component and testing it on its own. This
reduces the overall cost (in terms of time and effort) required to perform
such tests.
Validating design decisions and assumptions quickly through white box
testing increases effectiveness. The design specification may outline a
secure design, but the implementation may not exactly capture the design
intent. For example, a design might outline the use of protected channels
for data transfer between two components, but the implementation may be
using an unprotected method for temporary storage before the data transfer.
This increases the productivity of testing effort.
Finding �unintended� features can be quicker during white box
testing. Security testing is not just about finding vulnerabilities in the
intended functionality of the software but also about examining unintended
functionality introduced during implementation. Having access to the source
code improves understanding and uncovering the additional unintended
behavior of the software. For example, a component may have additional
functions exposed to support interactions with some other component, but the
same functions may be used to expose protected data from a third component.
Depending on the nature of the �unintended� functionality, it may require a
lot more effort to uncover such problems through black box testing alone.
