Penetration testing reported zero vulnerabilities. Does this mean my web app is secure?

Unfortunately, security testing is only a snapshot and is only as good as the tools used and the knowledge and skill of the person doing the testing. It sounds like you've done a lot, and the lack of vulnerabilities found by multiple tools supports a higher level of confidence. But you should plan for regular ongoing testing, e.g. automated Internet scans from a security service on at least a monthly basis, and more intensive with absolutely current tools every 6 months. Also essential is use of a web application firewall to filter malicious web requests, and systems for real time detection of potential intrusion activity. You mention "99% secure", which implies that you realize 100% is not possible in the real world.  But speaking figuratively, it's that remaining 1% that represents the one chink in your defenses that may be really hard to exploit and take an elite hacker to do it.  But it will eventually happen, which is why ongoing vigilance and re-testing is needed for every system connected to the Internet. I know this is a lot, but such is the nature of the threat these days. EDIT: The Heartbleed (OpenSSL) and more recent Shellshock (bash shell) vulnerabilities underscore the need to stay on top of what software components and libraries your system is using, and get them patched immediately when necessary. These are vulns that would never have shown up during any sort of security testing.

You are only part of the way done. Keeping people out is a good first step, the next ones are to figure out: how you will detect when they do get in, what's the maximum amount of damage they can do, and what will your response be? Very few companies do those last few steps, and stand around like idiots and say: "That amazing security consultant said we're safe, but we still got hacked... what now?" Keep your database and filesystem secured by limiting system account access to only what is needed. Does your system need to allow your SQL database to run command line statements using EXEC? No, so lock that down, etc. When your database does get hacked and copied, what information is in plain text, and how difficult will it be for them to decrypt or reverse-hash other data such as passwords? If you list all the customer emails in plain-text, you've just lost customer trust. If you simply use an MD5 hash on your passwords, you've just lost 75%+ immediately by a rainbow table attack. When the press comes to you and asks what happened, what will the first thing said be? It should be: "We detected the attack, limited system access, traced the source of the attack, patched the system, and we are confident that the user data taken will not be used because it was heavily encrypted."

Every system is always vulnerable to be a victim of Zero Days vulnerabilities. If your tools were unable to find flaws on your web app, it doesn't mean that it is fully secured. As Benjamin said above, a great tool is nothing if the tester has minimum knowledge of testing, and a simple tool can do lots of things if it is used by a well experienced tester. Don't forget that world's top penetration testers suggest to use their manual knowledge with thier tools, and they are going good to find flaws, even in top secured systems like Facebook and Google, Yahoo.

There's no such thing as a perfectly secure app, only one where the vulnerabilities have not been found yet. Never assume otherwise, and never assume that if you yourself have not found any vulnerabilities it means nobody else (especially people who make their living on that sort of thing) won't find any, or that none will appear after future changes to the system. .

“Testing shows the presence, not the absence of bugs”— https://en.wikiquote.org/wiki/Edsger_W._Dijkstra#1960s