If you completed functionality testing(I am assuming that you completed unit as well as integration testing as well) you can start with the performance testing depends on the requirement of the client. For the performance testing you need to use some tool whatever is suitable for your web application. I couldn't suggest you as I didn't know about the environment of the application.
Go into the requirements of you application and see what the specifications call for in the way of user load. If it says something like 50 concurrent users, then all you have to do is get together with 60 of your friends and bang away on the keyboards of separate computers performing similar tasks on the application to see if it fails. You should also measure a few trivial items like access times and resource allocations, etc. Security testing is even more fun, just get some of your hacker friends to try and crack your application. If they can, it fails. Simple huh? Ain't testing a blast?
Success is the ability to go from one failure to another with no loss of enthusiasm.
~ Winston Churchill ~
The best security test engineers have formal training. Security testing is potentially vast in terms of what needs to be addressed. Suggestion ... get training [img]images/icons/smile.gif[/img]
Security testing goes well beyond - login and logout. (well, well beyond - far beyond the reaches of the ionosphere, deep into glacial crevasses, to the edges of the universe (hope this gives you an idea of the vastness) [img]images/icons/smile.gif[/img] )
The kind of help you need has to start within your organization. I can only conclude that given your posts in the functional testing forum. Whoever got you into this pickle needs to understand the size of it and get you help!!!
Indicators suggest that not only do you need training, but you also need additional help with testing.