Hello all,
Thought I might share the results of my research into network and web penetration testing solutions. First, in talking with some other organizations I found that there is some confusion as to the difference between penetration testing and vulnerability scans. They are not the same thing! Penetration testing is required by PCI DSS 11.3 - for internal, external and web applications, and is a more manual process of trying to get in by exploiting a vulnerability found by the vulnerability scans.
I researched about 6 companies that provide this service for you. This is a much more costly route and the range was anywhere from $15K - $23K. That quickly became impossible for us. Remember that this is an annual expense.
Then I found some products and services that allow you to do the testing yourself. The product we decided upon is called WebSaintPro (www.saintcorporation.com). There are several pieces to this product, the external penetration and the web penetration is done through a SAaS. This cover the part of the requirement that says you need to have an external party that does this.
The internal penetration testing is done through an appliance called SaintBox. It comes pre-loaded with SaintExploit and SaintScan (vulnerability scanning).
So far, we are happy with the products and the information it is providing. Thought you might benefit from my research. If anyone wants to talk to me personally or has specific questions, let me know.
Gloria