Software testing (Black box and White Box Testing), as many of you might know is a formal process of checking whether the developed product is performing exactly how it was expected to and ensuring that, it does not spring any surprises after shipping. The cost of software testing is way less than the cost of having a major bug reported after the product starts shipping and even more so to fix it. The biggest cost of a bug being detected after the product ships is the loss in customer satisfaction and loyalty. You might have customers go straight to competitors and then suddenly it is the end of the story.
Here is an example,
Boeing 737, rings a bell? Well, Boeing 737 MAX was grounded worldwide between Mar 2019 and Dec 2020, after 346 people died in 2 crashes. It was indicated after an investigation that, when one of the sensors fails, the plane would automatically pitch down and required the manual intervention of pilots. This obviously was something that missed the ambit of thorough testing. Lack of structured and systemic testing resulted in so many lives being lost, which cannot be compensated in any way, not to mention the loss of business in future contracts and the advantage that the competitors like Airbus gained.
Software testing is an important exercise during software development. It guarantees quality, reliability and minimized risk. Thorough testing ensures efficient performance and happy customers, which in turn means good business.
There are several criteria that a software product can be tested for and in several ways. At a basic level, the software can be tested for its intended functionality, which is whether it is doing what it is supposed to do. This can be tested in two ways, Black Box Testing and White Box Testing.
Black Box testing is a way to test a product without knowing how the product is wired inside, how it is implementing the features. Consider a software product to be a box with all its inner workings placed inside the box. You give some input to the box and you get an out from the box. The box in black box testing is completely black, opaque, nothing is visible, except what is being input and what is being output. You are testing just the functionality of the software product.
White Box testing, on the other hand, is a much more involved way of testing the product. You don’t just test the functionality here. The box now is transparent or to put things in perspective of the black box, it is white now. You are able to see all the inner workings of the product. All statements, conditional loops, the flow of input through the program and more.
So, for a White Box testing, you will need an experienced programmer or a testing professional well versed in programming languages and coding techniques. In this discussion let’s delve into, white box testing.
Let’s look at a formal definition of white-box testing (also known as clear box testing, transparent box testing, glass box testing and structural testing) available from a reliable source. According to Wikipedia, “White-box testing is a method of software testing that tests internal structures or workings of an application”. Here, the testing personnel will not only need to have the right programming skills but also should have an internal perspective of the system.
Here is what takes place in White box testing from a high level.
What are the internal security holes? Holes are parts of the program that leave the application vulnerable to attack. For example, not fool proofing your applications for prevention against injection attacks, will leave a security hole in the application, which any attacker one day can take advantage of and compromise customer data.
There are certain rules, that you go by during coding, that when not followed might not result in an error but might cause strange behaviour in certain cases, which you might not have anticipated while coding. Also, there are coding structures like, if conditions, which when left open, or in other words programmer has not considered all possible values for a condition, might eventually lead to unexpected results. White box testing helps to uncover such incomplete, broken program structures.
It is a good idea to follow a variable life cycle from declaration till it is discarded, to understand if there are conflicting variable names, or some program constructs are changing the value of a variable inadvertently.
One of the most crucial parts of testing is whether, you are getting results as expected, by design.
A loop constructs if not written well might make it run in an infinite loop, something that will surely crash any program. Sometimes nested loops can get really complex, it is better to simplify using some other constructs if possible than allow complex multiple nesting of loops.
Testing of each statement and statements within functions is important in White-box testing to ensure the integrity of the application.
White Box testing entails a couple of things of the tester. One-the testing personnel should be well-versed in the programming language the application is written in and should be able to understand the written code and its underlying business logic. An open channel should exist between the testing team and the development team to discuss matters of code, especially in White Box testing. Two-create test cases, for testing flow and structure and execute them. Here the tester can create test scripts that test each statement and function.
An example might put things in the right perspective for understanding purposes.
Let us consider the below dummy code, with a sequence of statements.
IF X Y > 100 THEN
If P > 50 THEN
It is suggested that a flow chart be prepared to get pictures of what is happening on the code front. This is obviously a very trivial example, but real-life code will be much more complex and the resulting flowchart will be more so.
Now let’s assign some labels to the edges and notes like shown in the figure below.
Among several testing coverages, you will have to test the path coverage. Let’s run through the paths that this code snippet can take based on labels that have been assigned.
As you might have already guessed there are 4 paths.
Testing all paths ensures that all conditions are tested satisfactorily before shipping, and no surprises crop up.
A popular white box testing technique is Code Coverage analysis. Code Coverage or test coverage is a measure indicating the degree to which statements or lines of code have ben executed. Based on some conditions, some line of code will not be tested. Some of code coverage calculation methods are
Statement coverage as the name suggests aims at testing the maximum number of executable statements across the module or feature.
Branch coverage attempts to maximise testing on each branch, like an if statement or a loop.
Testing all the possible combinations of outcomes of condition or a decision statement.
Other code coverage methods are Finite State Machine coverage, Path coverage, Control Flow coverage, Data Flow coverage.
There are broadly two main types of white box testing, Unit Testing and Integration Testing.
In Unit testing, the application is seen as cohesion of several units or modules and each module along with its control data, procedures and flow are tested individually. They are typically automated tests written by developers to ensure that a component of an application is meeting design expectations. What is considered as a unit, depends on the programming style. For example, in an object-oriented style, a unit becomes a class and its interface. There are a few subtypes of unit testing like Execution testing, Operations testing and Mutation testing.
Integration testing brings together several related individual units or modules and tested as a group. It is performed to evaluate how well the individual units conform to functional requirements and if there are any faults in the interaction between the individual units. Integration testing branches out into Top-Down approach, Bottom-Up approach and Hybrid approach.
If your application is in a business with very high risks like avionics or medical devices, it is best to have your application tested thoroughly with White box techniques.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.