Black Box Security Testing

By: Security Cube  09-12-2011
Keywords: Security, Application Security

Black Box Testing is not a single test but rather a testing strategy that allows for a timely and thorough application security review to measure the vulnerability of application security controls, by both unauthorized and legitimate users.
Also known as 'Opaque', 'Functional/Behavioural' or 'Closed Box', Black Box testing does not require access to source code, making it is the fastest and easiest way to explore software from the outside in order to gauge its vulnerability to compromise.

Our Approach
The Security Cube's methodology allows for testing from all user perspectives (including external unauthorized use) and all privilege levels. Our custom "proof-of-concept" methods highlight any high-risk vulnerabilities that may potentially compromise your application's security.
Security Cube provides you with the testing tools and systems to identify any potential breaches of security, illustrate their associated risks, and then communicate the findings to all business stakeholders.

The Security Cube's methodical approach combines manual and automated dynamic security testing techniques and proprietary application security directives (ASDs). We use premier proprietary and commercial dynamic assessment tools to create a consistent and measurable process that can be replicated on an ongoing basis.

The Security Cube's Black Box Testing strategy is comprised of a series of tests designed to check for both normal and abnormal behaviour by the system. To ensure a comprehensive assessment, some of the tests are conducted, under supervision, directly by the end-user, who is familiar with how the system should respond.

The testing is comprised of:

User Acceptance Testing:
To assess whether the software meets the user's expectations and works as expected.

Alpha Testing:
The users sit with the developers, who note every particular input or action carried out by the user. Any abnormal behaviour of the system is noted and then addressed by the developers.

Beta Testing:
The software is distributed to the users as a beta (not yet active) version so it can be assessed from their perspective for functionality. By exploring the software, the users note any exceptions, defects or abnormalities that occur and report these to the developers.

Non-User Tests
Ad-hoc Testing:
This is done without a formal Test Plan or Test Case creation, and helps inform the scope and duration of the other tests to be performed. It is designed to familiarize the tester with the application prior to the commencement of additional testing.

Exploratory Testing:
This testing is similar to the Ad-hoc testing and is done in order to learn/explore the application.

Functional Testing:
The software is tested for the functional requirements, check to ensure the application behaves as designed.

Stress Testing:
This test ensures that the application can tolerate and manage 'heavy load' usage, such as complex numerical values, large number of inputs, large number of queries etc.

Load Testing:
An extension of Stress Testing, the application is tested against other 'heavy load' demands like website testing, and identifies the point at which the performance of the site or application begins to degrade or fail.

Volume Testing:
This test measures the efficiency of the application, and is conducted by running a large quantity of data through the application to check the extreme processing limitations on the system.

Usability Testing:
Also known as 'User-Friendliness Testing', this test is applied when the User Interface of the application is highly specific, and specific to the type of user.

Smoke Testing:
Also called 'Sanity Testing', this test is conducted to check if the application is functioning at its expected level without failing, and is ready to be put through major.

Recovery Testing:
This test is conducted to measure how, and how quickly, the application can recover from a system crash, hardware failure etc.


Security Cube will deliver a detailed and comprehensive report once all assessments have been conducted. All Security Cube reports are customized to reflect requested reporting requirements, and include an executive summary, a full outline of all the steps performed, detailed technical findings, and recommendations.

Additional Services

Upon the completion of each Black Box application security assessment, Security Cube offers the following services:

o Regression testing of all items identified during the assessment
o Vulnerability Remediation Assistance and Project Management
o Custom Secure Application Development Training

Keywords: Application Security, Security

Contact Security Cube

Email - none provided

Print this page

Other products and services from Security Cube


Disaster Recovery and Planning

All management and staff should be informed that a disaster recovery plan is required in order to ensure that essential functions of the organization are able to continue in the event of serious. It is good practice for the organization's Board or Governing Body to demonstrate a clear commitment to establishing and maintaining an effective disaster recovery planning process.


Application Security and Certification

An organization that earns our enterprise certification has secured its mission-critical business systems, networks, applications and physical environments, including its external perimeter, internal networked infrastructure, wireless environment, desktops and analog modems, and physical and human/administrative environment.


Application Vulnerability

Security Cube Web Audit provides a thorough review of all web applications, and a comprehensive report of vulnerabilities and the necessary steps required to address any existing or potential breaches in security. Enables developers to identify programming oversights that result in web security flaws and non-compliance;• provides a prioritization of issues;• provides repair recommendations.


Infrastructure Security Compliance

To train and maintain internal resources and to maintain compliance can be costly in terms of time and money.Security Cube's security compliance service is designed to monitor systems and networks against industry-established standards.