I recently read some guidance that you should do all your quality assurance first. Only then should you turn to penetration tests. You should also not think that these tests are a comprehensive method to achieve quality.
The normal mode of penetration testing is to subject a system to common attack vectors. You can do this cold, which is called the black box variety of testing. Or you can use some information you already know about the system and subject it to white box testing.
Beware the penetration test. It can be a never ending task. You got to do good project management to schedule it, bound the scope, and complete the tests. I wonder if this is a fun job to do?