The Register: The Man Behind OSSTMM

Why do we need a security testing methodology? And why
open source?

“Without a security testing methodology, the actual test tends
to be all over the place. One tester actually described this once
to me as his test being “a mess” without it. The real answer is
that a methodology is required to test anything thoroughly. As
humans, we take short-cuts. We assume we know an answer or we know
what’s going on because of past experiences and we cut to the chase
because time is money and all that. However, when that happens, we
leave many unverified (unanswered) questions and report our
assumptions as if they were facts. A good security methodology does
not let you do that…”