Glass box technology enjoys the merits of dynamic analysis – the ability to test a live web application – and static analysis – the ability to look at the application's code and inner workings, explained Patrick Vandenberg, program director of IBM Security.
Static analysis is performed in the application development phase, while dynamic analysis is performed when the application is being tested. The challenge is that each method has its drawbacks. For example, it is difficult to tell from a static analysis which code vulnerabilities would actually be exploitable once the web application is deployed, Vandenberg told Infosecurity.
Glass box technology overcomes those drawbacks while benefiting from the strengths of both. “Accuracy and coverage in testing is paramount. Glass box is a hybrid technology where you are blending different analysis techniques to improve your coverage and accuracy”, he said.
In an external application test, the IBM Rational AppScan Standard V8.5, which uses glass box technology, was able to detect all 198 security vulnerabilities, with no false results, according to an IBM white paper. In contrast, the black box technology used in the test only found 62 vulnerabilities and had a whopping 136 false negatives.
Glass box technology provides “more automated means to find more vulnerabilities and doing it more efficiently….It is probably one of the first times we’ve seen a drastic increase in either coverage or efficiency”, Vanderberg said.
According to the IBM white paper, glass box testing provides the potential for addressing all the application security threats contained in the top ten list of the Open Web Application Security Project (OWASP), which is used by developers and testers to measure and compare the coverage of security assessment tools.
The OWASP top ten application security threats are: injection, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards.
Glass box technology also fills the gaps left by black box and white box testing and features capabilities needed to find relevant security risks with accuracy in a single technology, the paper concluded.