Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organization to address each weakness.
Why bother with Penetration Testing?
"... Through the process of risk management, leaders must consider risk to U.S. interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations..."
"... For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations..."
"... Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain..."
-- THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
Who can perform a penetration test?
We recommend deferring to the wisdom of the PCI Standards Council.
The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.
What that means is that they are in charge of security for Credit Card merchants and they know a lot more about this stuff than anyone else.
Given that background, when looking for a company to do penetration testing, we believe that you should use a company approved by the PCI Standards Council : PCI Security Standards Council Approved Scanning Vendors