The main cost drivers for white box testing are the following:
specialized skill requirements: White box testing is knowledge
intensive. White box testers should not only know how to analyze code for
security issues but also understand different tools and techniques to test
the software. Security testing is not just validating designed functionality
but also proving that the defensive mechanisms work correctly. This requires
invaluable experience and expertise. Testers who can perform such tasks are
expensive and hard to get.
support software development and tools: White box testing requires
development of support software and tools to perform testing. Both the
support software and the tools are largely based on the context of the
software under test and the type of test technique employed. The type of
tools used includes program understanding tools, coverage tools, fault
injection tools, and source code analyzers.
analysis and testing time: White box testing is time consuming,
especially when applied to the whole system. Analyzing design and source
code in detail for security testing is time consuming, but is an essential
part of white box testing. Tools (source code analyzers, debuggers, etc.)
and program understanding techniques (flow graphs, data-flow graphs, etc.)
help in speeding up analysis. White box testing directly identifies
implementation bugs, but whether the bugs can be exploited requires further
analysis work. The consequences of failure help determine the amount of
testing time and effort dedicated to certain areas.
