Penetration test: Black box vs. white box?

Yeah - very heavily depends on what answers you want to get. The best answer is both, if you have unlimited money, resources and time. The most important thing is the analysis, and the management of what happens in the results. If you don't have a proper process in place to understand the results and make changes then neither will get you far.

In terms of web-applications most of the stuff about a system is discoverable pretty quickly, so it is pretty hard to keep your black-box closed in that case.

As Michael said, "well that depends."

What type of industry are you in? What do you want to learn? How much money can you throw at it?

Typically speaking "black box" testing is considered a "blind" test with no prior knowledge of the network in any regard. This is how a hacker would go thwarting through your network. Typically it refers to outside in penetration, but that doesn't mean the concept applies only to that. You could have a hacker sitting in your lobby using a laptop and technically he's inside now with no prior knowledge of your network.

White Box testing, or as I like to call it, the "rigged test" typically refers to finding vulnerabilities in the network working with all known variables. I'll compare it to when you go to AAA and ask them for directions. You've never been to the place you're going so they highlight the route for you on the map and tell you where the World's largest ball of cheese is on the way. Sure you might need to take a detour or hit a pot hole, but you still know what the end result is.

So to ask should I "black box or white box test" is sorta like asking "paper or plastic" -- which one do you prefer.

You need to look at the business as a whole. If you're a retailer or e-commerce company for example, not knowing your vulnerabilities from the outside is much more critical to your business than somebody running out the door with your price list. However, if you're a manufacturing company somebody running out the door with your secret instructions for making the world's most popular Quaky the Wonder Duck toy is a lot more important. I say this because the probability of somebody stealing the instructions for Quaky through your website is significantly less than an employee pilfering them and selling them to a rival toy maker.

Not being patched or having blaring gigantic holes in your firewall could pose a potential threat, but you can find those with some web based scanning tool for $29.95. The real threat we have is our fellow employees. A test cannot emulate human judgment, or lack thereof. Almost ALWAYS nowadays the largest vulnerability in any network is from the inside. Is it a virus? No. Is it 65 year old Peggy in accounting sending corny jokes to everybody in the GAL? No. Its 27 year old hot shot Steve in sales who reads PC Magazine and has an iPhone so he thinks he's a computer wizard. He is the guy you have to watch for.

Regardless of what test you run, what you elect to do with the data is much more important than the data itself. Prepare to be honest with yourself and your department. Nobody is perfect, if we were, we wouldn't have any jobs because user's wouldn't break anything. Don't try to rationalize problems in your network or stones left unturned.

The best penetration test in the world though is simply monitoring the daily activity of a user in your network. This includes watching them physically and digitally. Websites, email, usage of thumb drives or flash media, mobile communications, etc. It will down right scare you how obtuse users really are.

http://www.focus.com/ugr/research/it-security/network-security/