How do you do security testing if you don't have an army of ninjas? Hire one of the few available? Train an existing, uninterested, full-time quality engineer, using development-focused and penetration-tester-focused courses and materials like SANS, OWASP, and CAPEC? Automated scanning or penetration testing, which both require expertise for interpreting results, removing false positives, and offer limited coverage?