You are responsible for a web application that serves authenticated users, stores customer records, and exposes internal admin actions through the same backend. The app has recently grown quickly, and you now have to harden it without breaking availability or slowing releases. You also need to make sure security controls are measurable, not just documented.
How would you secure this web application end to end? Walk me through the controls you would put in place, the threats each one mitigates, and how you would verify that the protections are actually working.