[paulriddle]

I feel like black box assessment is highly inferior to white box or whatever it is called, when you have access to source code. Huge waste of time for both company and security specialist. It is only acceptable for ongoing bug bounties.

Am I wrong? I'm not in the field, so I don't really know. I have lots of questions. Is it common for security consultancies to do only white box reviews or this wouldn't be a good decision business-wise? Is it common to charge for fixes to found vulnerabilities during an audit? What if the flaw is in open source library?

[sheldorr]

Security consultancies will usually do whatever the client asks for, or try and cater exactly for their needs. This may result in either a white box attack or black box.

Usually the test will be done at a fixed price, with a fixed scope (What they are/aren't allowed to test). The result of this will usually be a report detailing the vulns, along with reccommended fixes/remediations and sometimes a 'post-fix test' to check if the company has successfully remediated the issues.

White box testing tends to look at the system/application from an internal-looking out perspective, whereas black box is an outside-in view. Benefits to whitebox being a very thorough assesment of the system but this will be time-consuming and expensive. Blackbox on the otherhand can simulate the likely attacks from an adversarie and sometimes be relatively quick dependent on the systems attack surface.

Hope this helps.

[kdbg]

You're not wrong at all. Having access to code is far more efficient. My favorite type of assessment to get is when I get a test env and code access. It is uncommon though, a lot of companies are protective of their source code and don't want to hand it out to machines they don't totally control. In most cases when I get code access I either get a laptop from the client or a VPN and rdp onto a machine they control.

As for charging, I've never been paid based on findings, but based on time. If they fix while I'm testing that is great work by their team, but I'd prefer a stable test env so it's a bit annoying.

Libraries can be an interesting area, I focus my testing on code the client controls and only note known vulns in libraries they use. I have found issues in libraries before and we report it to the client, and work with them to disclose to the vendor if they want.