is black box testing more demanding than white-box test technology?

A few months ago I was talking about black box testing is not necessarily less than white-box testing technology, but now I can be more positive that black box testing than white box testing more difficult, more technical requirements. Truth is very simple, black box, white box test The essential difference is the source code access rights, white box testing has this right, so there are more resources and information to test, of course, things will become much easier, and black box test because the source code can not see, so that the white box tester found bugs, You need to spend more time and have a higher technology to be able to find out.

I have been doing black box test for more than 4 years, is a genuine black box tester, but I have access to the right to the source code, that is, although I do black box test, but I have no more information than the white box test personnel. With my black box testing experience and the improvement of technology, I suddenly found that I have been completely dependent on the source code provided by the information, if there is no source code, my black box test work will become a lot more complicated, difficult, most of them can not be achieved. It also gives me a strong feeling that black-box testing is more difficult than white-box testing.

In a book published in Symantec, "Theartofsoftwaresecuritytest," there is this saying. I think this book is general, but the inside embodies the truth, is, "for white box testing, a company can form a Test team to carry out, and for black box testing, there may be very few companies have this ability, can only go outside to hire a professional company to do, the cost is very high, but it is worthwhile."

Often hear someone complain "I am in the company to do black box test, no technical content, my goal is to go to the white box test," I have always felt that this argument can be questioned, I also hope that after reading this article, do not appear this sound, Let's not take it as a sounding excuse not to improve the test technology.

Why do most of us, including my own, think black box testing is less technical than white-box testing? That's because most of us are doing low-end black box testing. I thought a long time ago, hackers are through black box testing methods to find security vulnerabilities, how can we say that black box testing technology is low? With their level to the hacker's direction close, oneself also more and more deeper, richer understanding and experience.

If we have just entered the black box testing field of the new technology into 0, and the hacker's technology is divided into 5, then according to the technical level I have such a list:

0. Test Novice

1. Black Box Manual Test

2. Black box Automation test

3. Has the white box test ability

4. Safety Test

5. Hackers

It's not right to be aware that many people rely on the company to improve their testing techniques, rely on the team, and rely on project. I am in the company's work is black box automation test, but this does not affect me to the higher direction of development, now the Internet so developed, what data can not find it? A variety of computer books, online a variety of computer technology exchange forums, blogs and so on. A lot of people think job-hopping, change a job oneself can better develop test technology, this also has erroneous zone. To tell you the truth, personal development is a matter of personal nature, it's not the company's problem, or your lead, your manager's problem, a company that wants you, it means that your own ability and level and the company's requirements for you is relatively close, the company has an expectation of you, That means you can do the job, and the development is not the company's expectations of you, the vast majority of the situation or rely on individuals. Therefore, I personally think that no matter in the work environment, the job content of the situation, you have technology to improve the scope, but it is up to you to drive, rather than rely too much on the external environment. I grew up learning, mainly by self-study, I rarely can concentrate on listening to the teacher a class. Including now, many of my training have not heard the end of the walk, or some sign to slip. My this character has made me very independent learning ability, oneself plan study for oneself, do not know whether has the reference function to everybody.

Anyway, since everyone is familiar with the 0,1,2 level, I'd like to talk about the 3,4,5 level.

3. As a black box tester, no one will ask you not to have white box testing capabilities, if you have the right to access the source code, that's good, you can fully use this advantage, to see the source code to get information applied to your black box test. If you do not have access to the source code, it does not prevent you from exploring and practicing in this field. If your project is Java,. NET this, you can decompile, if your project is c,c++ this, you can disassemble it. All in all, the so-called white box test ability means to find a bug can be located in the code, what is the code, why this bug? You can design code-level test cases. Generally speaking, this level of requirements is the ability to read and write good code.

4. The fundamental difference between safety testing and white box testing is safety awareness and hacker thinking. One book, Writingsecurecode, says, "You can train a person to have the ability to test security feature, it's hard to train a person to have a hacker's way of thinking, and if you find such a person, you hire him". People at this level should have a good sense of security, know a variety of attack methods, when found a bug should have security judgments, such as "whether a security loophole", "whether can be exploited by hackers", "severity", and so on. Similarly, your test content contains a large number of security test cases.

5. The level of hacker requirements is higher. For security testing, it's just an analysis of "whether it can be exploited by hackers", and hackers are going to analyze "how to use" and write attack code to attack. For me at least, they want to have a very skilled assembly programming ability.

I used to think that for a safety test or a high-end test, years of development experience were essential, and practice proved not. Similarly, if you want to do high-end testing, you may not have to turn to the white box test first. From my personal experience, as long as you have the heart, as long as your own intentions, you can always develop and improve, the external environment is important, but the decisive factor is still their own. The security test was completely out of my job and responsibility, but in one months, I've found 4 consecutive security vulnerabilities. If you can find a security flaw in your project at work, how can the company not value you?