@jayharris_sec might be able to help here. He just gave an amazing live hacking session at Testing Atelier in Leeds.
At my work we run weekly Veracode sandbox scans and have verification / security testing as part of our regression. Itβs also something we discuss when starting on new stuff just like automation and load. The earlier we think about all those the better the product becomes.
Bug Magnet is a cool extension that has some SQL Injection built in but as Jay showed up, you can just put β to find security issues in forms, logins etc.