Security is one of the most complex aspects of software development and quality. There really isn’t a one size fits all approach. Your approach needs to be organisation wide, and agreed with many stakeholders because of its wide ranging impact. A lot of it will be informed by the tech stack you sit within.
Have you done any threat modelling exercises? This is a must to understand where you need to target your testing. Combinations of defence in depth and breadth will need to be considered:
Static analysis approaches are essential, looking at errors in the code before it’s compiled or deployed. Dynamic scanning of the application under usage is also important, where tools like ZAP or BurpSuite can be useful. It’ll take a while to understand how these tools will be useful to you, by tuning them, monitoring and filtering results to avoid false positives, but bubbling up real bugs and false negatives.
If you are using exploratory approaches to your day to day testing, then the DAST tools can help you target where your testing needs to be most effective. Bug Magnet can be really useful here. I’ve added some extensions to Bug Magnet to my github, (github.com/danielbilling/security-test-learning) so you can add these if you like. One for XSS and one for SQLi.
These tools are powerful, and potentially dangerous if not used appropriately. Be wary. Let me know if you want some help or guidance.
Another aspect to consider is the monitoring of applications in production. What errors and usage patterns are kicked up when real users interact with the application. Does it surface nasties such as information disclosure, sql statements or sensitive data in the logs. Does this stuff get surfaced to the user in a way a hacker could exploit? Look for using tools like Papertrail, SumoLogic or New Relic to monitor your app in production.
Maybe your ops guys have advice here, especially around things like intrusion detection and monitoring, to identify weak points and areas of interest.
Drop me a line if you want a chat.