Security testing for web-based applications is fundamentally different from functional testing in a number of ways.  This fact should impact how we test web applications for security.   This paper attempts to identify these challenges in the hope that this information will serve as useful input for developers of security testing tools and test managers for security projects.