Dynamic Analysis

Dynamic Analysis, or Black Box Testing, is the analysis of computer software by executing testing programs in a run-time environment.
The use of dynamic analysis for Web applications will help identifying security issues before hackers can exploit them.
To initiate the test, make a request to the website.
Unlike static analysis, dynamic analysis doesn't have access to the source code and therefore detect vulnerabilities by actually performing authorized attacks.
There are two types of dynamic analysis for web applications: Web Application Vulnerability Scan (WAVS) and Web Application Penetration Test (WAPT).

WAVS is set to find vulnerabilities in Web applications; WAPT not only verifies the existence and exploitability of potential vulnerabilities, but also assesses the overall security of a Web application by attempting to compromise it using attacker techniques.
WAVS identifies the problems which may have already occurred rather than evaluating against a real attack like WAPT does.
WAPT is active in that it is able to attack a system and measure its readiness. WAVS, on the other hand, is passive because it does not address the implications of a successful intrusion and only lists what the potential vulnerabilities may be without probing deeper to reveal the true threat to assets.

Many WAVS tools exist to analyze Web vulnerabilities with a GUI, a spider, a scanner, and an up-to-date vulnerabilities database.
View a list of commercial WAVS tools, Software-as-a-Service WAVS providers, free/open source WAVS tools at WASC.
View a list of website security scanning tools at SoftwareQATest.com.
View WASC's Web Application Security Scanner Evaluation Criteria
Demo

A common security frame used by WAPT is the OWASP's Top Ten issues.
View an example video at www.coresecurity.com.
OWASP's Web application penetration project. It's Testing Guide lists typical testings as follows:

Firefox has many plugins specifically designed for web application penetration testing.

SDLC