White Box testing method
The White box (Open box, Transparent / Clear / Glass box, structural testing) is a testing method where security, usability and input-output flow of the internal structure of a system, its design and code are checked. The code is ‘open’ (visible) to testing specialists using this method. It concerns the inner works of applications and revolves around internal tests.
White box testing involves a series of inputs verified against expected outputs. When a particular input does not show the expected result, this means an error is found.
The method allows to discover the following issues:
- Internal security holes;
- Broken or poorly structured paths in the code;
- Improper flow of specific inputs through the code;
- Unexpected outputs;
- Failing functionality of conditional loops;
- Errors find with individual testing of statements, objects and functions.
The ‘White box’ testing process includes the following consecutive steps:
- Understanding the source code. It is important to learn and understand the source code of the application first, to perform further testing thoroughly and correctly;
- Test cases creation and execution. At this step the testing of the application is carried out. The tester creates a number of minor tests to check each process or series of processes. It also includes manual testing, trial and error testing and structure and flow checking.
Types of White Box Testing
There are several testing types which are used to evaluate app usability , block code and software packages quality. The list includes the following:
- Unit testing. It is performed on every unit or block of the code during development and helps to discover the majority of bugs on the earliest stages, when they are cheaper and easier to fix. It is done on a continuous basis and involves running portions of the code to see if they produce the desired output. If the output differs from expected, it means there’s an issue with the code;
- Memory leaks testing. This type of issue slows applications down; the test is therefore done in case an app is too slow, to find and fix any leaks;
- White box Pentesting. It gives complete information about the source code, detailed network and server information and all involved IP addresses, when a ‘white hat’ hacker simulates an attack based on intimate code and environment knowledge. It aims to imitate attacks from various sides and angles to spot security threats, so a white box penetration test is useful for a targeted attack simulation utilizing as many attack vectors as possible;
- White box Mutation testing. It is used to discover best code practices by means of making small random changes to the code to find if the tests still pass. It is usually performed at the final stage to check for bugs and also to reveal the optimal coding strategies;
- Integration testing. It helps to check integration points between internal components and integration with external systems;
- Static (structural) code analysis. It helps to detect vulnerabilities and errors in static code by means of predefined patterns. Static application security tools (SAST) are often used here to keep the code secure. It helps perform configuration, semantic, data flow analyses and other analyses to detect vulnerabilities and bugs.
The testing process and techniques
The White box testing techniques include the following:
- Statement Coverage (requires every statement in the code to be tested during software engineering testing);
- Decision Coverage (checks the paths of the application for possible conditional loops);
- Memory perspective-based testing (tests possible code size increase);
- Branch Coverage (maps the code into branches and ensures that all of them are covered by unit tests);
- Segment Coverage (does similar things but to every code statement);
- Condition Coverage and Multiple Condition Coverage (tests variables in a substatement through logical conditions, such as ‘true\false’ condition checking);
- Finite State Machine Coverage;
- Path Coverage (helps to identify broken, redundant and inefficient paths by means of testing all possible paths);
- Control flow testing;
- Data flow testing (helps to examine data flows and references to variables in code);
- Loop testing (covers single, concatenated and nested loops in the code (‘for’, ‘while’, etc);
- Program performance testing (helps to check speed\response time).
Pros and cons of White box testing
As any other testing method, the White box has its stronger and weaker sides.
Pros include:
- Code optimization by discovering hidden errors;
- The test cases can be easily automated;
- All the code paths are covered;
- Can be performed at the earliest stages (when GUI is not available yet).
Cons include:
- Can be too complex, time-consuming (especially for huger applications) and expensive;
- Requires professional resources with detailed understanding of programming and implementation.
One of the method goals is testing to verify a working flow. It includes a list of purpose-specific tools, such as:
- EclEmma (useful for fast code coverage, which summarizes and highlights the coverage results in the Java source code editors at once);
- NUnit (helps to produce a better code by means of reducing the amount of bugs in the application);
- PyUnit (a widely used testing framework, used to create a variety of tests to improve code quality, increase development velocity and detect and catch out bugs at the earliest stages);
- PyTest (a Python testing tool, which supports TDD (Test-driven Development) and BDD (Behavior-driven Development);
- HTMLUnit (the so-called "GUI-less browser for Java programs" with good support. It is mostly used for testing purposes or to retrieve information from websites);
- CppUnit (a famous module for testing units in suites for C++, which also tests the programs for quality and reliability);
- Metasploit (used to develop and validate exploits code before the ‘real life usage’);
- Nmap (used for monitoring network connections, scanning ports and networks, auditing hosts and services, large networks mapping and detecting intrusion. It can be applied for packet-level and scan-level analysis);
- John the Ripper (a password cracker, which helps to spot weak passwords in a number of frameworks);
- Wireshark (a traffic analyzer, used for monitoring software to find out what kind of traffic flows through the system network. It is used to troubleshoot performance issues (both network and system) and for monitoring and filtering network protocols);
- Astra’s Pentest (tool with the largest range of use, including CI/CD integration, zero false positives and monitoring compliance);
- Nessus (a vulnerability tester, used to detect more than 65 thousand vulnerabilities and regularly updated for new threats);
- Nikto (used to scan for more than 7 thousand types of dangerous software);
- SQLmap (used for exploitation of SQL injection flaws).
It is relatively complex, so it may take quite a lot of time, but it is necessary to be completed during the application development and after each update.