Get started Bring yourself up to speed with our introductory content.

What type of security assessment does the client want?

Security site assessments can vary based on what is required of the consultant or service provider. Learn about the different types of security assessments: black-, white- and gray-box.

About the author
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

There are different types of security assessments based on the role of the consultant. "Black-box" assessments assume zero knowledge on the part of the consultant and typically require more generalist security assessment skills (such as experience with network inventory and vulnerability scanning tools and techniques). "White-box" typically implies application source code review by experienced software developers (and/or automated code review tools). It may also imply access to design/specification documentation not normally available to an outsider. "Gray-box" is a hybrid of the black-box and the white-box. This information should be prepared by the client in advance of starting work.

Dig Deeper on Cybersecurity risk assessment and management