How to do security testing for web applications?

Following are the eleven steps required to perform security testing for web applications:

1. Understand the business requirements: The business structure and functions need to be understood along with the security goals. This in turn helps in analyzing all the security needs of an organization.
2. The security needs should be identified: The specific software application that needs to be security tested should be analyzed so that the security needs of an application can be adequately met. 
3. The system setup information should be gathered: The information regarding system setup information should be properly gathered that was used for developing the network and web application.
4. Assess the vulnerabilities: The possible vulnerabilities and risks should be identified and a list should be prepared
5. Consider a threat profile: Based on the information provided in the list, a threat profile should be prepared
6. Test plan preparation: A test plan should be prepared according to the identified risks and possible vulnerabilities.
7. Traceability matrix should be prepared: A traceability matrix should be prepared for each vulnerability and risk
8. Consider manual and/or automated security testing: Depending upon the project scope and requirements, consider going for manual or automated security testing. There might be scenarios where both manual and automated security testing can be considered. There are automated security testing tools that can improve the efficiency of automated security testing.
9. Prepare the document: The security tests case document should be prepared and ready. 
10. The execution process: The security test cases execution should be carried out once the defects that have been identified are fixed and retested. The regression test cases are also executed.
11. Creating a report: An in-depth report should be created detailing the specific activities of the security testing that have been conducted along with the vulnerabilities and risks that have been identified and the risks that still persist. The report should be prepared meticulously by the security testing team and all the relevant points should be properly covered in the report in an organized and articulate manner.