This document describes a methodology called First Principles Vulnerability Assessment (FPVA) for identifying security vulnerabilities. FPVA is an analyst-centric and manual process that involves: 1) Analyzing a system's architecture and components, 2) Identifying key resources and privilege levels, 3) Evaluating components in-depth guided by the previous steps and knowledge of vulnerabilities, 4) Disseminating results to developers. FPVA was used to assess several grid middleware systems, finding over 50 vulnerabilities. While automated tools can help, manual assessment is still needed to identify new types of attacks not found by tools. Adopting FPVA leads to increased security awareness in development teams.