How would you investigate whether a security issue is caused by misconfiguration, code, or infrastructure?