Authentication - Can a brute-force attack or a dictionary based attack compromise the system? Does a password policy exist? Have account lockouts been implemented in the code?

Authorisation - Could a malicious user escalate their privileges? Are any back door administrative features enabled in the source to allow developers to perform a quick debug of code? If so, have these features been disabled?

Data validation - Can the integrity of the system be compromised by an attacker due to a lapse in data validation? Is all request data sanitised and validated for such things as: date range, type, format, character encoding?

Cryptography - What algorithm is being used to generate the authentication token?

Auditing and logging - Are debugging levels appropriately set for a live environment? Are all security sensitive operations being logged to create an audit trail?

Exception management - Are exceptions being caught adequately? Do the exceptions presented to the user expose too much information?

Session management - Can a session token be replayed to impersonate the user? Are the session tokens random and not guessable?