Thanks Showtime8000, looks like a good checklist of questions to ask/investigate!

Perfect timing as doing some web app dev/sec evaluation right now.