Flaw hypothesis methodology is a systems analysis and penetration prediction technique where a list of hypothesized flaws in a system are compiled through analysis of the specifications and documentation for the system. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw actually exists, and on the ease of exploiting it to the extent of control or compromise. The prioritized list is used to direct the actual testing of the system.
The flaw hypothesis methodology of penetration testing includes three types of tests: open-box testing, black-box testing, and grey-box testing. Black-box testing is concerned only about the expected result of a software program and does not examine how the software program is coded to produce the expected result. Open-box testing or white-box testing focuses specifically on using the internal knowledge of the software. In white-box testing, a security firm is provided with a production-like test environment, login details, production documentation, and source code. Grey-box testing includes testing algorithms, architectures, or other high-level descriptions of the program code. Grey-box testing is performed by security professionals with limited inside knowledge of the network.