in reply to (OT) Black- vs. white-box testing
White-box testing — tests designed against the code which actually implements the functionality — is critical to evaluate the security of the code. Black-box (monkeys with typewriters) pounding at potential vulnerabilities is simply too inefficient to be valuable. It is good to have some standard black boxes (like buffer overflows), but even better to know "oh, this string gets eval'd — I'd better write a test to make sure it won't do anything stupid"
The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon