You need to substantiate the main idea of your responses by using experiences or referencing a credible information source

External testing usually comes from outside of the organization’s perimeters and the standards that they try to keep helps to eliminate any kind of manual errors. On the other hand, validation using internal resources and personnel might not be completely free from errors. Also, the testing may get limited to the knowledge within the organization whereas external resources bring more visibility to what would need to be tested from broader experience (Scarfone, Souppaya & Orebaugh, 2008). IT managers might not be able to make a comprehensive decision out of what is being presented by internal team’s validation results. Testing by internal resources might not exploit all vulnerabilities since it usually gets focused on system level testing, authentication and access control from an internal security perspective. Internal teams become more focused on finishing based on defined timelines and hence many adjustments of the test scenarios may happen to meet the schedules. If an external team is involved, process becomes more stringent as per their guidelines and hence the results become more oriented towards the goals without having any bias on the impacts from the results. Formal testing usually comes out of a hypothetical reasoning and internal resources may tend to bring in changes as test progress based on the expected goals (Davenport, 2009).

References:

Scarfone, K., Souppaya, M., Cody, A. & Orebaugh, A. (2008, September). Technical Guide to Information Security Testing and Assessment [PDF File]. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

Davenport, T. H. (2009, February). How to Design Smart Business Experiments. Retrieved from https://hbr.org/2009/02/how-to-design-smart-business-experiments