Matt, the Chief Information Security Officer (CISO), tells the network administrator that a security company has
been hired to perform a penetration test against his network. The security company asks Matt which type of
testing would be most beneficial for him. Which of the following BEST describes what the security company
might do during a black box test?
The security company is provided with all network ranges, security devices in place, and logical maps of the
The security company is provided with no information about the corporate network or physical locations.
The security company is provided with limited information on the network, including all network diagrams.
The security company is provided with limited information on the network, including some subnet ranges
and logical network diagrams.
The term black box testing is generally associated with application testing. However, in this question the term is
used for network testing. Black box testing means testing something when you have no knowledge of the inner
Black-box testing is a method of software testing that examines the functionality of an application withoutpeering into its internal structures or workings. This method of test can be applied to virtually every level of
software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level
testing, but can also dominate unit testing as well.
Specific knowledge of the application’s code/internal structure and programming knowledge in general is not
required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For
instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how
the software produces the output in the first place.