ISECOM's OSSTMM

The Institute for Security and Open Methodologies (ISECOM) publishes a paywall-protected version of their most recent Open Source Security Testing Methodology Manual (OSSTMM, http://www.isecom.org/research/osstmm.html); and version 4 is the latest one.  A silver or higher-status member can access the document, but earlier versions are accessible for free.

The OSSTMM works at a higher level to describe the processes for all forms of penetration testing, with web application testing elements sprinkled throughout.  We'll refer to it occasionally as we proceed, but consider this an optional reference for this book.