With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront - applications.
Application security involves checking the security controls of an application, not the operating system or device that hosts the application. The security review is directly related to the applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. For example, for an application developed using Active Server Pages (ASP), using a Microsoft Internet Information Server (IIS) running on a Windows 2000 operating system, the focus of the application security testing would be the ASP application, and neither IIS nor Windows 2000 would be tested.
Specialized form of penetration testing utilizing automated and manual testing strategies designed to assess the development efforts of web based applications. Assessments can be executed using black-box methodologies from an attacker's point of view or grey-box strategies by reviewing source code and developing threat models.