mbraylyan
commented
9 months ago OWASP actually has a number of resources directly related to this: the Web Security Testing Guide and Application Security Verification Standard. They're pretty long and dense, and I haven't read through both of them yet. But it is fairly likely that I won't be able to use the entirety of the ASVS or the testing guide, as pentesting is firmly outside of the scope.
Using a discovered resource, create/adopt standards to judge WebApps used by clients. These standards should involve references to common problems and vulnerabilities with WebApps, and help provide guidelines to suggesting a solution/fixing the problem.