Security Testing should be done in a standardized process. I would say, this should be done with meticulous care because you will not do this for every sprint/build release. It cannot be tacked on to an application at the last minute. A proper security framework should include continuous security training for all developers, threat models for the entire system, regular code reviews and planned penetration testing. There are few methodologies which you can adopt to perform pen-testing.