Did your project team start out by creating secure code? That’s the key to building truly secure applications, according to Ryan Berg, chief scientist for Ounce Labs Inc.. In a SearchSoftwareQuality.com on developing secure applications, Berg wrote:
“Developing secure code must begin during requirement definition and continue throughout design and development, as well as during testing and deployment. If you wait until testing you are almost guaranteed to find insecurities, and all too often, you will not find all of them or even miss the most critical flaws.”
You’ll find some good info in the book, “Fuzzing for Software Security Testing and Quality Assurance.” Here’s that book’s chapter on testing software for quality.
You can glean some good advice from this oldie-but-goody article by Ramesh Nagappan, CISSP, on Java application features and measures.
Rick Hower offers lists of security testing tools on the Software QA/Test Resource Center site, too.
If you find other resources, please let me know. I’d be interested in adding them to my list.