Hi Troy: Independent internal and external penetration testing are compliance requirements for some environments subject to the PCI DSS (Payment Card Industry Data Security Standard) and other business or government regulations. It can be very expensive. There are a couple security vendors MSU works with who do this work. I have worked with one of them on penetration testing projects. Please feel free to get in touch to discuss. I'm leaving for the day in a few minutes but I'll be available tomorrow. If you don't need independent testing, then Backtrack and Metasploit, as suggested by BJ McPhall, are great tools. High learning curves but very powerful. Gene -- Gene Willacker, PCI ISA PCI Compliance Officer MSU Controller's Office 110 Administration Building Michigan State University 517-884-4110 On 8/16/2012 1:01 PM, Troy D Murray wrote: > Afternoon everyone, > > I'm thinking about doing some penetration testing for our public > facing Internet servers and web applications. Just curious if others > here on campus have done this type of testing and would be willing to > share, either off-list or on-list, feedback or experiences. Who did > you use, and how was it, would you recommend them, etc? > > Thanks, > * > Troy Murray* > Michigan State University > College of Medicine > Life Science > 1355 Bogue St, B-136D > East Lansing, MI 48824 > E: [log in to unmask] <mailto:[log in to unmask]> > P: 517-432-2760 > F: 517-355-7254 > RedHat 5 Certified Technician > RedHat 5 Certified Systems Administrator > HL7 V2.6/2.5 Certified Control Specialist >