2

the PCI DSS document states:

11.3.2
Perform internal penetration testing at least annually and after any significant     
infrastructure or application upgrade or modification (such as an operating system    
upgrade, a sub network added to the environment, or a web server added to the environment). 

11.3.1
Perform external penetration testing at least annually and after any significant   
infrastructure or application upgrade or modification (such as an operating system upgra
de, a sub-network added to the environment, or a web server added to the environment).

How can i perform an Internal penetration test on my webserver? is there any software that can do this? And what would this software do? if someone has access to the internal workings of the webserver then they would have access to everything?

Can anyone recommend any software that is easy to use that can do the internal / external pen testing? and would I need to upload it / send it to my hosting company?

user1398287
  • 161
  • 1
  • 4
  • Need more info - are you storing CC info on a database at the hosting site? Is the hosting company specialized to deal with PCI compliance? Is it a shared or dedicated server? – schroeder Mar 11 '14 at 19:31

2 Answers2

1

I deleted my previous answer because I decided that it required too much overhaul.

Internal penetration testing happens within your organization to test how vulnerable you are to an inside threat. External penetration testing is done from outside the organization to test how vulnerable you are to an outside threat. In both cases, a penetration tester probes for vulnerabilities and reports on the findings. Yes there is software for this, but the software is a tool for a professional, it does not replace one.

When you host a web server and/or database with a 3rd party, the game changes. External testing can be performed that also includes application vulnerability testing (which is what my previous answer focused on). But internal testing now becomes a challenge. Some hosting companies that specialize in hosting PCI-compliant servers will perform the testing themselves and report to you on the results. If you are storing credit card details on a server hosted by a third party, you might be non-compliant if you don't have a dedicated server. Check with your hosting company to see if they handle PCI compliance.

The short answer is:

  1. penetration testing is done by a professional
  2. you need to work with your hosting company to get and remain compliant
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • You should probably bold the 1st point above ;) – CtrlDot Mar 11 '14 at 19:44
  • This is not true, the pen tests only have to be done by a qualified internal resource or qualified third party. There is nothing that states that the pen tester needs to be a professional pen tester. Also there is nothing that states the qualifications needed. – user1398287 Mar 12 '14 at 10:58
  • I didn't say that it has to be a professional penetration tester. – schroeder Mar 12 '14 at 18:10
0

Internal in this case means - internal to the cardholder environment. You are trying to enumerate the risk that you are attacked from the inside of your network. For your web application you would typically test the parts of the web application that are "internal" (i.e. the Database, middleware,etc.) with the internal pen test. You also need to test the parts of the application that are available outside the network "externally" this would be the web server itself. You are trying to enumerate the risk of an external attacker hacking your website from outside of your perimeter.

The cheap and easy defacto standard for doing web application pen tests is Burp Suite, there is a free version. You'll need another tool to test the common host and network level vulnerabilities...there are hundreds of them.

Jonas
  • 11
  • 1