Since we have a huge contract to certify and accredidate a bunch of web applications (like 90) before they move to their new site, I thought this SANS summit might be a good idea. Traditionally, we test tactical systems or networks; but because of this contract we've had to adapt to application security testing.
We're getting a process down, after our first couple of applications. Since we're not too worried about the hardware and operating system (we don't have any control over where they are moving to) we've been concentrating on the databases, the web server (site based,) and the Application Development STIGs. We test the actual database with a tool, and we crawl the code with a tool. The deadlines are insane, and the clients are not the most helpful. But I don't have to travel and the work is different.