You are responsible for validating a customer-facing web application that handles authentication, session state, and sensitive account data. The app sits behind a load balancer, calls internal APIs, and stores user records in a managed database. A recent release added new form inputs and an admin workflow, and you need to determine whether it introduced exploitable security issues.
How would you test the application for security vulnerabilities in a way that is systematic, repeatable, and tied to real threat paths? Walk me through how you would prioritize what to test, how you would prove a finding is exploitable, and how you would verify that a fix actually closes the issue.