Discussion on: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start?

[Guillaume Gautreau]

1. Make a precise list of valuables things you have to protect (data, access to the app for your clients, your own processing power, your bandwidth).
2. For each point in the previous list, try to list all the possible breaches you can think of
3. For each breaches, evaluate the probability and the eventual cost of an exploit of the breach
4. Sort the list by probability * cost and list possible counter measures for the most important possible issues.