A system and method for application software security and auditing are disclosed. A particular embodiment includes an application security management system configured to: cause installation of a client application (app) agent in a client app on a client app server; communicate with the client app agent via a data network to collect trace data corresponding to data elements accessed in the client app and previously identified as sensitive data; cause transfer of information indicative of the trace data to a host site via the data network; identify a policy corresponding to the trace data; and apply the identified policy to the sensitive data elements in the client app.