Application-level security testing is also commonly known as black-box testing or ethical hacking. Penetration testing is essentially the art of testing a running application remotely, without knowing the internal operations of the application itself to find security vulnerabilities. To provide a fully secure solution, we integrate the code scanning with the application penetration testing, to make sure that the application layer is secured. Application-level testing will investigate software behavior, and verify that the software complies with security requirements. We use automated and manual procedures to validate web application security from two aspects.