MAS's cyber risk management guidelines mandate a combination of black box and gray box pentests for FIs. In a black box pentest, using a network scanner, the security assessor identifies and proceeds to examine vulnerable assets (e.g., operating systems, ports, services, applications) in the FI's Internet-facing environment that could be potentially exploited by a hacker operating from outside the organization's network. The pentester's understanding of the target system, in this case, is limited to IP address ranges and known URLs.
Gray box pentest, another MAS requirement, is a step up in the pentesting hierarchy. Unlike black box testing, in gray box testing, the security assessor enjoys the same access credentials as a customer (of, say, an online banking service). The pentester is provided the required URL. The gray box testing in this case is limited to the FI's business-to-customer (B2C) services (e.g., online retail banking, online corporate banking, online securities trading). Essentially, a black box pentester considers the Internet-facing assets from the perspective of an external ethical hacker, while a gray box tester has the access and knowledge levels of a user within the target system.
The MAS advisory on cyber risk management also suggests that FIs launch "bug bounty" programs with attractive cash awards to complement the annual pentest. So, ethical hackers ("white hats") will feel encouraged to 'hack' the FI's Internet-facing infrastructure to discover and report vulnerabilities. The pentest exercise, together with the bug bounty program, will help bolster the overall security of the FI's online assets.