White box (sometimes called glass box) assessments differ from black box, in that the security testers have full access to design and configuration information about the system of interest. The following are some activities and descriptions that can be performed as part of white box testing:
Activity |
Description |
Staff interviews |
Evaluators should perform a series of interviews with development and/or operational IT staff to understand the technologies used in the implementation, integration and deployment points, sensitive information processed, and critical data stores. |
Reverse engineering |
Perform reverse engineering of IoT device firmware when possible, to identify whether new exploits can be developed ... |