Penetration Test vs Vulnerability Assessment

Often times the terms VA and Pen test are used incorrectly, even by auditors!  Continue reading to learn how to break into a car!!!

So here is an analogy between the two, and for a more in-depth technical view check out the blog posted by Tony at

Breaking into a car – Vulnerability Assessment Style

I walk around the car and examine it.  I look for open windows, unlocked doors, hidden keys, and other easy ways in.  I will look for flashing LEDs to see if there is an alarm, maybe crawl underneath and see how easy it would be to cut the alarm wire.  Look at the physical surroundings to determine if I should just break the window and get in that way.  I write down the make/model of the alarm to determine if there is a backup alarm wire or to get the wiring schematics for it.  I look inside to see how hard it would be to unlock them with a coat hanger or Slim Jim (not macho man Randy Savage style either….)  I might even see if my armcould fit through the slightly open window to unlock the door.  Then I walk away and document my evidence and share the findings with you.

Breaking into a car – Penetration Test Style

I review the VA assessment and see that I cannot cut the wires easily (requires about 4 hours of labor to get to the correct wires) but can get a coat hanger in the open window and press the unlock button.  I know the alarm will not go off because it is an OEM alarm and if unlocked from inside it will not go off.  I get in the car… mission accomplished?  Heck no, that was just one way in!  I also use a Slim Jim to unlock the passenger side door to get in successfully.  I then break the back window and climb in that way.  Okay, enough damage is done time to write up a report!

So generally speaking – VA just says here are the potential risks and here is how to patch them.  Penetration test says here they are, this is how I got in, this is the amount of money in your savings account, and most importantly here is how to fix!

The next vital step is the review where we sit down with you and go over the results.  You may determine that its worth the $80 for a better alarm system as that will deter more car thieves. You also might decide that installing $5,000 “bullet proof” glass to prevent someone from breaking in doesn’t make much sense, because your car is only worth $8,000! Remember, acceptance is a perfectly acceptable solution when you are talking about risk mitigation!  There are even formulas to help figure out what to, and not to, and what to spend your security budget on.  It is SLE x ARO=ALE.  You can look up more details on this formula in this “Quantitative Risk Assessment” but it stands for Single Loss Expectancy times Annual Rate of Occurrence equals your Annual Loss Expectancy.  There is also the Qualitative Risk Analysis but this stuff can get boring fast, just get yourself an IT audit and let the experts help you decide what is worth investing in!

Again – check out Tony’s more technical blog about the differences below:


Discuss: “Penetration Test vs Vulnerability Assessment”

  1. November 19, 2011 at 4:30 pm #

    Aloha guys! Do you know where I can find more articles about this?

    Posted by