Hi, I do not know the difference between penetration testing and other forms of security testing. Could anyone experienced in that area tell me the differnces? I would really appreciate it. On the side note, is there any testing that simulates DoS? I do not know how to defend against it.
Securing a computer system is not something that can be done effectively by a layperson.
If you are not willing to invest the time to gain a solid foundation in systems security, hire a reputable consultant and trust their advice.
Insecure systems are everywhere. For instance, almost every single for-pay Wifi hotspot in use at hotels, coffee shops, and the like can have their paywall circumvented by someone with sufficient skill. If you don't know what you're doing, you won't even be aware that the vulnerability exists at all.
I am penetration tester, and i'm happy to answer this question.
Penetration testing is a usually a form of black box security testing. In a pen test you are trying to break into the server as many times as possible and report back on how they where able to break in. This is often done multiple times to make sure that the patches hold water. This is an important type of security testing because its as real world as it gets. Regular penetration testing is a requirement of the PCI-DSS. Common tools for web application penetration testing are Acunetix($), NTOSpider($$$), w3af(open source) and Wapiti(Open Source). For other types of penetration testing it is common to use Metasploit(open source), OpenVAS(open source), NMAP and THC-Hydra.
By contrast in it white box testing you have full access to the source code. You can enable drugging on the application to get better test results from scanners like Acuenetix. You can also use Source Code Analysis Tools such as RATS(Open Source) and Coverity($$$$$).
There are 2 different forms of Denial Of Service attacks. The most simple is a Distributed Denial of service attack in which the hacker is using a bot net to flood your server with traffic. This traffic could be an ICMP Ping, or even a simple HTTP GET request. Cisco has a number of very expensive products to help prevent this type of attack.
Another form of Denial Of Service is when there is a problem with the server its self. When this type of security flaws are found its often given a CVE number becuase it is a violation of CWE-400. This is commonly due to an arithmetic overflow or stack/heap based memory corruption (a buffer overflow or dangling pointer). To prevent these types of attacks you should make sure that your software is up to date. Its not often that an 0-day DoS attack is used in the wild.