Are you filtering binary data from CGIs and scripts?
It's possible for hackers to send you a URL with binary data included, which can execute a program granting access to your server. No matter what your CGI code is written in, it's a major risk if there's a way a client can fool a CGI script. For example, commands can be appended to a CGI script command page, where additional commands are postfixed to the CGI command being issued, such as "send me the password file."
When writing your scripts and CGIs or reviewing those that are written for you, remember this: filter out binary data and throw it in the bit-bucket where it belongs. Your server can be used to pass letterbombs and mailbombs this way. Do not become a willing accomplice.
In addition to checking for this, be sure your server software isn't susceptible to "buffer overflow" or other methods of passing a long URL to your server and crashing it.
Is your IT environment tied to Human Resources?
Ex-employees can be a major risk factor in any computing environment. Your IT department, Web site access, and network access must be closely tied to employee departure. People aren't so keen on risking their jobs with foolish activities, but when they have no job to risk, well, this could be a major problem.
Have you selected your Web server software based on security requirements also?
If you haven't looked at more than one Web server package, visit The Netcraft Web Server Survey (http://www.netcraft.com/survey/) or Internet.com's WebCompare (http://Webcompare.internet.com/) sites to see what each Web server package has to offer. You may be surprised.
Yes, Mr. Lemonjello, the number is...
Social engineering. I cannot say enough on this subject. A recent Dateline NBC show followed a "hacker" (paid by a large firm) who elicited information from someone at a company, and in less than 40 hours an entire banking system was compromised.
The whole process started with nothing more than a simple telephone number. The hacker gave his name, "Mr. Lemonjello." The person on the other end of the telephone complied because it sounded urgent. Don't let a hacker fool you or your staff into giving out passwords, phone numbers, and so on. Test whatever system you have in place at all levels for susceptibility to this.