Any security testing method aims to ensure that the software under test
meets the security goals of the system and is robust and resistant to malicious
attacks. Security testing involves taking two diverse approaches: one, testing
security mechanisms to ensure that their functionality is properly implemented;
and two, performing risk-based security testing motivated by understanding and
simulating the attacker�s approach. White box security testing follows both
these approaches and uncovers programming and implementation errors. The types
of errors uncovered during white box testing are several and are very context
sensitive to the software under test. Some examples of errors uncovered include
data inputs compromising security
sensitive data being exposed to unauthorized users
improper control flows compromising security
incorrect implementations of security functionality
unintended software behavior that has security implications
design flaws not apparent from the design specification
boundary limitations not apparent at the interface level
White box testing greatly enhances overall test effectiveness and test
coverage. It can greatly improve productivity in uncovering bugs that are hard
to find with black box testing or other testing methods alone.