For years, security researchers have used the terms "black box" and "white box" to describe dynamic and static web application security analysis, respectively. IBM is now seeking to combine the best of both approaches by introducing a new approach called "Glass Box."
"We use the terms ‘black box’ and ‘dynamic analysis’ interchangeably, and basically that’s looking at a functioning application in a web browser and evaluating its state to identify potential vulnerabilities," Patrick Vandenberg, program director for IBM Security, told InternetNews.com. "’Static analysis’ we use interchangeably with white box testing and that’s looking at source code before it is compiled to root out potential vulnerabilities."
IBM historically has provided black box testing by way of its AppScan portfolio. AppScan was expanded in 2010 with a source code edition that can do static, white box analysis.
With its latest release of AppScan standard edition 8.5, IBM is now taking that capability one step further by introducing the new Glass Box approach. With Glass Box, AppScan installs agents on a server to instrument the code, while also applying dynamic analysis techniques.
"In so doing we’re getting the real-world validation that you get from black box testing as well as getting inside the box, and that delivers phenomenal improvements in accuracy," Vandenberg said.
When it comes to root cause analysis using Glass Box, Vandenberg noted that users are limited in what they can see from an instrumentation perspective. That said, Vandenberg added that the system is able to provide coverage for all the vulnerabilities that a user would be able to find from a static analysis perspective within the context of a web application.
Full static analysis is still required for non-web applications as well as from a process perspective.
"Really the root cause is sitting in development where all these vulnerabilities are first introduced to the code," Vandenberg said. "You want to find those flaws as early as you can."
IBM also has production software capabilities with its Tivoli software division that could benefit from the enhanced security analysis that Glass Box can provide.
"We can push the vulnerability data there so that policies can be tuned and pushed out to all the devices that are being managed," Vandenberg said.