Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise -- but it's also a step not to be taken lightly.