A software development company has hired a programmer to develop a plug-in module to an existing
proprietary application. After completing the module, the developer needs to test the entire application to ensure
that the module did not introduce new vulnerabilities. Which of the following is the developer performing when
testing the application?
Black box testing
White box testing
Gray box testing
In this question, we know the tester has some knowledge of the application because the tester developed a
plug-in module for it. However, the tester does not have detailed information about the entire application.
Therefore, this is a grey-box test.
Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has
limited knowledge of the internal details of the program. A gray box is a device, program or system whose
workings are partially understood.
Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or
access to the internal workings of a program, or white box testing, a scenario in which the internal particulars
are fully known. Gray box testing is commonly used in penetration tests.
Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have
access to the source code. With respect to internal processes, gray box testing treats a program as a black box
that must be analyzed from the outside. During a gray box test, the person may know how the system
components interact but not have detailed knowledge about internal program functions and operation. A clear
distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.