Discussion on: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start?

You should check:

• Web language security patches
• Web framework security patches
• Web application passes OWASP
• Web server access
• Database server access
• Database users
• Permissions for the users on the webserver
• Contents of data (you could easily find spam if the web layer is insecure) on the database
• If the servers are accessible from the web without a VPN or proper security (AWS has a good direction on that)
• If the servers OS has the latest security patches
• CVE's

For the majority, you will be dealing, very likely, with outdated servers and unauthorized access or improper permissions for user access.