Application security assessment is a unique area of assessment and penetration testing. Unlike infrastructure based assessments, the methodology used by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed.
Although several high-level methodologies do exist (and some guides can indeed be quite comprehensive), they are often not generic or versatile enough to cope with the wide variety of custom applications commonly encountered. Many methodologies used by professional security assessment organizations are in fact highly guarded.
In general, the applications are normally subjected to the following groups of tests:
Regardless of whether it is a web-enabled client-server application or a tiered compiled application, the methodology actually implemented by the security consultant to assess the security of all client-side functionality will also be subject to the consultants own experience and skill set.