I would like to say we can supply very secure servers. Usually we install a firewall and close all ports except ports 80/443 (and maybe email) and add our office IP to the allow list. We can ensure the website systems we will use are up to date and implement any of their security guidelines. The server will be updated often. I have access to a free PCI scanning service online, so can fix any issues it reports, so I think we have a secure setup.

A potential customers previous hosting company said their server passed penetration tests. So I would like to look into doing this, so we can identify any issues and fix them, and also pass a penetration test.

Does anyone know how best to perform our own tests, or some affordable service/software that can do it? Google doesn't give much away, a bunch of sites I have to contact for a quote which will inevitably mean an expensive service probably. So ideally some software we can run ourselves or something?

Thanks

_________________
Web Development Agency in South Wales

https://www.qualys.com/ have various security tests one of those might suit your needs.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

It probably would be helpful to qualify terms.

A what is usually referred to as a pen test involves hiring skilled security specialists to attack more than just a given server. The goal is to find weaknesses that could compromise vital business functions the same way someone skilled and malicious would. For instance, you mentioned your local systems are allowed remote access. A pen tester who knows or guesses this will likely drive by your office to see how your wifi holds up. They may attempt to social engineer employees or vendors, dumpster dive, drop interesting thumb drives in your parking lot to see if people plug them in to a work machine, etc. Depending on what you contract, you may get detailed reports on topics from physical security to cost-benefit analyses of various mitigation strategies. This is invariably not cheap.

It sounds like you're actually looking for a vulnerability scan. Someone else mentioned the Qualsys tools; you might also google 'Metasploit', one (very good) tool in the tool of professional pen testers. While you're playing with that, you might also want to check things like MX Toolbox (which will help audit your email security and incidentally possibly point out DNS issues). This will help you look for known vulnerabilities in software, but don't confuse it with a pen test. A clever attacker is infinitely more flexible than any pile of bits.