The goal of security testing is to ensure the robustness of the software under test, even in the presence of a malicious attack. The designers and the specification might outline a secure design, the developers might be diligent and write secure code, but it�s the testing process that determines whether the software is secure in the real world. Testing is an essential form of assurance. Testing is laborious, time consuming, and expensive, so the choice of testing (black box, or white box, or a combination) should be based on the risks to the system. Risk analysis provides the right context and information to make tradeoffs between time and effort to achieve test effectiveness.
White box testing is typically very effective in validating design decisions and assumptions and finding programming errors and implementation errors in software. For example, an application may use cryptography to secure data from specific threats, but an implementation error such as a poor key management technique can still leave the application vulnerable to security violations. White box testing can uncover such implementation errors.