Automated tools for assessing the security of web applications fall into two main categories: Black box and white box testing. Each has its benefits and challenges, and many organizations use both to attain the best possible results. For the last few years, IBM has been researching, developing and patenting an exciting new approach called glass box which is now emerging as a way to take advantage of the benefits of both methods.
With the glass box testing method, users can observe the actions of an application from within while it is running. Research shows that this approach can greatly enhance key aspects of black box scanning while still enjoying the benefits of the white box approach. This paper introduces glass box testing, describes how it works, how it compares to various web application scanning tools and the benefits it provides.