Why is context important for application security testing?

In order to gain better understanding of the risk associated with a vulnerability, one must gather contextual information related to an application's use.

For example, a cross-site scripting (XSS) vulnerability found post-authentication on an internal app accessible to only 10 employees within the organization will have a lower risk of exploitation than a pre-authentication XSS found on an Internet-facing app.

Questions to ask: 

Business Purpose What business function does the application serve? How important is the application to the success of the business' goals?

User Population How many and what type of users are anticipated to use the application?

Data Types What type of data does the application process and/or store? Are there any PII or PCI elements?

Access Roles How many roles does the application offer and to what granularity?

Depth of the Application How many pages/components does the application consist of? [Crawl the application]

Web/application server What web and application server product does the application run on? [Fingerprint the front end]

Back end server Is data stored in a relational database (e.g. SQL) or flat file? [Fingerprint the back end]