For years, security researchers have used the terms “black box” and “white box” to describe dynamic and static web application security analysis, respectively. IBM is now seeking to combine the best of both approaches by introducing a new approach called “Glass Box.”
“We use the terms ‘black box’ and ‘dynamic analysis’ interchangeably, and basically that’s looking at a functioning application in a web browser and evaluating its state to identify potential vulnerabilities,” Patrick Vandenberg, program director for IBM Security, told InternetNews.com. “‘Static analysis’ we use interchangeably with white box testing and that’s looking at source code before it is compiled to root out potential vulnerabilities.”
IBM historically has provided black box testing by way of its AppScan portfolio. AppScan was expanded in 2010 with a source code edition that can do static, white box analysis.
With its latest release of AppScan standard edition 8.5, IBM is now taking that capability one step further by introducing the new Glass Box approach. With Glass Box, AppScan installs agents on a server to instrument the code, while also applying dynamic analysis techniques.
“In so doing we’re getting the real-world validation that you get from black box testing as well as getting inside the box, and that delivers phenomenal improvements in accuracy,” Vandenberg said.
When it comes to root cause analysis using Glass Box, Vandenberg noted that users are limited in what they can see from an instrumentation perspective. That said, Vandenberg added that the system is able to provide coverage for all the vulnerabilities that a user would be able to find from a static analysis perspective within the context of a web application.
Read the full story at eSecurityPlanet:
Glass Box: The Next Phase of Web Application Security Testing?
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist