Scenario: Your organization is using a black-box testing technique for the first time. What is the main limitation of this technique?

A.  Time-consuming

B.  Lack of internal structure analysis

C.  High cost

D.  Requires high expertise

Answer:  B

Explanation:

A. Time-consuming

While any thorough security test takes time, black-box testing can actually be faster to set up than white-box testing because the tester doesn't need to spend days or weeks studying source code or architectural diagrams before they start.

• The Nuance: It can become time-consuming if the tester is "shooting in the dark" trying to find an entry point, but time is an operational constraint, not the fundamental technical limitation of the method.

B. Lack of internal structure analysis

This is the defining characteristic—and the primary weakness—of black-box testing.

• Why it's the Answer: In black-box testing, the tester has zero knowledge of the "internals" (source code, database schemas, or server configurations). They only see the application as an end-user or an external attacker would.

• The Risk: Because the tester cannot see the internal code paths, they might miss a massive vulnerability hidden in a section of the code that isn't easily reachable through the standard user interface (e.g., a "backdoor" left by a developer or a flaw in a specific logic branch). It provides a "surface-level" view of security.

C. High Cost

Cost is relative. In many cases, black-box testing is less expensive than white-box testing because it requires fewer hours of deep code review by highly specialized (and expensive) security engineers.

• The Comparison: Automated black-box scanners (DAST) are often cheaper to run than complex static analysis tools (SAST) that require integration into the development environment.

D. Requires High Expertise

Actually, black-box testing often requires less specialized knowledge of the specific system being tested.

• The Logic: A white-box tester must be an expert in the specific programming language (e.g., Rust, Go, or C++) and the specific framework used to build the app. A black-box tester only needs to understand common web vulnerabilities (like those in the OWASP Top 10) and how to manipulate inputs and outputs.