| Testing Type |
White-box |
Black-box |
| Access to Code |
Required (analyzes source code or binaries) |
Not required (tests from outside the app) |
| When Used |
Early in SDLC (during coding/build phase) |
Later in SDLC (during or after deployment) |
| What It Tests |
Source code, bytecode, or binaries |
Running application, web interfaces, APIs |
| Finds |
Code-level issues (e.g., SQL injection, secrets) |
Runtime issues (e.g., logic flaws, auth problems) |
| False Positives |
Higher (due to theoretical analysis) |
Lower (based on real execution) |
| Speed |
Fast (no need to run the app) |
Slower (requires deployed app and interactions) |
| Tool Examples |
SonarQube, Checkmarx, Fortify |
OWASP ZAP, Burp Suite, Acunetix |
| Language Dependency |
Language-specific |
Language-agnostic |
| Use Case |
Secure code review, CI/CD integration |
Real-world attack simulation, post-deployment testing |
Techy Chalkboard in bits and pieces 