So next week an "Information Security and Compliance Company" is doing a 16 hour "Application Penetration Test" on an application we developed. It's on a dedicated server with all the latest patches and is on lock down with IP address validation through the firewall. We have made sure every query is protected from SQL injection attacks and made sure any file uploaded to the application is uploaded outside the root and can not be called from a URL. We think we have covered all the bases, here is a list of what the application will go through.
Cross Site Scripting
Hidden Variable Manipulation
Now some of these are basic security 101, and ColdFusion has lots of tools to address the attacks. Has anyone ever gone through this? If so what type of things were found? Can anyone give me any suggestion of things to check?