When was the last time you went to the doctor and refused to tell them your symptoms? Probably never. Yet according to security expert Ted Harrington, many companies take exactly this approach with their security testing – and it's just as counterproductive.
In security testing, there are two main methodologies: black box and white box testing. Black box testing is when companies provide no information to security testers, essentially saying "try to break in and we'll see if you can." White box testing, on the other hand, involves sharing system information, design documents, and access to engineers.
"Black box testing methodology would be like walking into your doctor because something is ailing you, and they say 'tell me your symptoms' and you say 'no, you figure it out,'" explains Harrington. "Why would you ever do that?"
Just as a doctor needs to understand your symptoms to effectively diagnose and treat your condition, security testers need context about your systems to efficiently identify vulnerabilities. When companies withhold information, they're not really testing their system's security – they're testing the tester's ability to figure things out with limited time and resources.
The problem with black box testing is that it leaves crucial questions unanswered. If testers don't find vulnerabilities, does that mean your system is secure? Or did they just run out of time? Or perhaps they weren't looking in the right places? Without proper context, it's impossible to know.
Instead, Harrington advocates for white box testing, where companies share system information upfront. This approach allows security experts to quickly identify potential weak points and focus their efforts where they matter most. "That helps you figure out quickly where the problems are," he says. "Because you only have so much time and effort and money."
The takeaway is clear: effective security testing, like good healthcare, requires open communication and collaboration. By working in partnership with security experts rather than keeping them at arm's length, companies can get more valuable results from their security investments.