Penetration testing is nothing but a test method where the security of a computer program or network is subjected to deliberate simulated attack.
As for the second part of your question. There are many things that you need to consider before you start pen testing.
some basic steps to start pen testing would be:
Business logic testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Services Testing
Now its only you who know about your application and the business logic so you have to think logically and come up with the scenarios. It would be better if you can also go for Threat Modeling. That way you can identify the risks ans test accordingly