A system and method for application software security and auditing are disclosed. A particular embodiment includes an application security management system configured to: instrument one or more data input and output points of an application for one or more instances of data identified as sensitive data, access one or more policies corresponding to the one or more instances of the sensitive data, trace the one or more instances of the sensitive data through the application in association with the one or more policies, and generate an audit of each instance of the sensitive data indicating a route from which the sensitive data is accessed, to where the sensitive data is written, and where the sensitive data surfaces in the application.