A security assurance officer is preparing a plan to measure the technical state of a customer’s enterprise. The
testers employed to perform the audit will be given access to the customer facility and network. The testers will
not be given access to the details of custom developed software used by the customer. However, the testers
with have access to the source code for several open source applications and pieces of networking equipment
used at the facility, but these items will not be within the scope of the audit.
Which of the following BEST describes the appropriate method of testing or technique to use in this scenario?