Skip to main content
    Back to episode
    Episode 51 · December 16, 2025 · 19m listen · 420 words · ~2 min read

    The Differences Between Black, Gray, and White Penetration Testing | Ep. 50 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 51 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    This episode of The Med Device Cyber Podcast delves into the critical distinctions between black, gray, and white box penetration testing, specifically within the medical device cybersecurity landscape. Hosts discuss the varying levels of information provided to testers in each approach: black box (no prior insight, mimicking a

    Key takeaways from this episode

    • Black box testing simulates an attacker with no prior knowledge, offering a realistic but potentially less thorough assessment of low-hanging fruit vulnerabilities.
    • Gray box testing provides some internal insight, like user credentials or architecture diagrams, allowing for a more comprehensive assessment than black box.
    • White box testing offers the most complete access, including source code and engineering contacts, enabling the deepest and most targeted vulnerability assessment.
    • The FDA, while not explicitly mandating a specific penetration testing type, effectively steers manufacturers toward white box testing through requirements like static application security testing and SBOM analysis.
    • Opting for white box penetration testing from the outset can prevent costly delays, repeat testing, and potential FDA deficiencies by ensuring comprehensive coverage and adherence to regulatory expectations.
    • Prioritizing comprehensive white box testing not only satisfies regulatory requirements but also significantly enhances patient safety by thoroughly identifying and mitigating potential security risks.

    Topics covered in this transcript

    Full episode transcript

    Hi, welcome back to another episode of the Med Device Cyber Podcast. Today we're talking about penetration testing, specifically what are the differences in black, gray, and white penetration testing? Penetration testing is also known as ethical hacking. We're talking about this in the context of medical device cybersecurity and what the FDA and other regulatory bodies are really looking for, because sometimes black is not enough, gray is not enough. White might be the preferred, but we'll dig into that topic here in a second. I've got these cool glasses. They don't look so cool on screen, but Trevor claims I will sleep like a baby tonight because I'm wearing these glasses, even though I haven't slept in three days because I just got back from Singapore and am leaving for Europe tomorrow. So, I feel like I have permanent jet lag. Well, they won't help with that, but they will make it easier to fall asleep when you're staring at a screen for 14 hours a day, as we typically do. So, we'll start with black. Black box testing means the device is like a black box. We don't know anything about it. We don't have much documentation other than maybe a user manual. We don't have a lot of visibility into it. We can't talk to the software developers. We have user-level access. Is that a good explanation for black box penetration testing? Exactly. It would be thought of as an attacker walks into a room, they want to cause some damage to something, but they don't have any prior insight into whatever it is. They see a device sitting on a table, they just grab it and try to hack into it. So, that's the perspective that we're coming into a black box penetration test from. It's a little bit difficult at times, as you know, penetration testers. Of course, we're doing this differently from actual bad guys. We are contracted to do it. People are willingly paying and asking us to hack into their products. So, they know we're doing it, but they still have to try to keep as many secrets from us as possible. When we're trying to understand what we are testing, what we are allowed to do, and what we aren't, they have to set some guidelines on that without giving up too much information. So, it can be a little bit interesting, and sometimes it's funny too, working with clients on these engagements for a black box test. We'll say,