Penetration testing is widely used to audit the security protection of Web applications. However, it is often performed by specialized security experts after development is completed and the application deployed into production. In this paper, we propose a model-driven penetration test framework for Web applications which provides a repeatable, systematic and cost-efficient approach fully integrated into a Security-Oriented Software Development Life Cycle. Security experts are still required to maintain knowledge used by the framework, but regular testing personnel are capable of creating, running and maintaining penetration test campaigns. A prototype of the framework has been implemented and applied to two Web applications: the benchmark WebGoat web application, and a hospital adverse event management system currently under development. A preliminary evaluation based on the prototype demonstrates the feasibility and efficiency of the proposed framework.