For the external attack vector our client does not require that our A&P tools (or security testing tools if you will), which are the usual a combination of open source (think www.sectools.org) and commercial (nessus, qualys, webinspect, devinspect, etc), go through their internal risk assessment process. However, for the internal attack vector all tools used must be risk evaluated and approved. Risks of using the tools must be identified, such as port hangs, system crashes, network congestion, network interruption, inadvertent data disclosure, etc. We are currently for convenience primarily using the BackTrack 4 distro supplemented with some commercial tools.
I am looking for any previous work done in risk rating the large list of popular open source and commercial security testing tools or any specific distros including BackTrack 4. Any assistance is appreciated!