An IT auditor tests an application as an authenticated user. This is an example of which of the
following types of testing?

A.
Penetration

B.
White box

C.
Black box

D.
Gray box

Explanation:
In this question, the tester is testing the application as an authenticated user. We can assume
from this that the tester has at least limited knowledge of the application. This meets the criteria of
a grey-box test.
Gray box testing, also called gray box analysis, is a strategy for software debugging in which the
tester has limited knowledge of the internal details of the program. A gray box is a device, program
or system whose workings are partially understood.
Gray box testing can be contrasted with black box testing, a scenario in which the tester has no
knowledge or access to the internal workings of a program, or white box testing, a scenario in
which the internal particulars are fully known. Gray box testing is commonly used in penetration
tests.
Gray box testing is considered to be non-intrusive and unbiased because it does not require that
the tester have access to the source code. With respect to internal processes, gray box testing
treats a program as a black box that must be analyzed from the outside. During a gray box test,
the person may know how the system components interact but not have detailed knowledge about
internal program functions and operation. A clear distinction exists between the developer and the
tester, thereby minimizing the risk of personnel conflicts.