182 ◾ Information Security Management Handbook
competency to a certain degree. For example, if a testing team state that they are going to be using
Nmap as the only tool for a web application test, it should raise concerns because that tool is not
designed to be a web application tool. Knowing the exact tools being employed is also useful for
understanding and preparing for any possible side effects that could result from the testing activity.
A professional security testing team should follow a structured methodology for conducting
any type of test. Two requirements for the security testing process are consistency and repeat-
ability. e implementation of a consistent testing methodology ensures that the process will be
performed the same way ...