This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Israel 2008 Conference Adi Sharabani

Jump to: navigation, search

Black Box vs. White Box - pros and cons

In recent years two main technologies have emerged to detect security vulnerabilities in web applications. Black-box and white-box approach the problem in fundamentally different ways, each with its own strengths and weaknesses. In this presentation we cover the main aspects of each technology, listing their pros and cons. We discuss the coverage issues with each technology. We explain which approach works better in different scenarios, and why.


Adi Sharabani manages the IBM Rational Application Security Research Group, responsible for product and industry research activities that pertain to Web application security. Adi joined IBM through the acquisition of Watchfire, a market leader in web application security testing. Prior to security research, Adi was a senior software developer on the AppScan team responsible for the invention and development of many of its key features.

Yinnon Haviv completed his Ph.D. in Computer Science in 2006 (Distributed system, Fault tolerance, Self-Stabilization, Language semantics). Before joining the static analysis group at IBM/Watchfire, Yinnon was a key contributor in the research, design and implementation of impact analysis algorithms over large programs (>1M lines of code).