If you can identify components of your application then manual test cases can very well address security testing needs. Try breaking channels between components, chck with security level details and assumptions. I do not have much experience about automated security testing but had addressed manual testing needs for a financial application where scope was to check if fraudelent transactions can be avoided or if one can break the security of application. Based on loopholes we had been able to apply patches to make application more robust against fraudelent transactions.
Try approaching some one at Birla Horizon. I had got many tips from specs provided by them. This being a very narrow specialisation you may need to approach several places before someone nods yay to cater your very specific needs.
I do not have soft copy of doc I referred otherwise at least I could have helped you to start.
Hi, I'd need more info to provide a detailed answer. Do you need help identifying the security concerns for your app? Do you know what the major concerns are, but need help specifying test cases?)
Some of the security questions I have tested for on our web-based J2EE app: Can users from different companies access each others' data (direct or via reporting)? Can users within a company with limited permissions perform prohibited actions? Are users with inactivated accounts prohibited from logging in? Can our security be broken by fiddling with the URL?
I think that in general what you want to do is break 'security' down into specific goals, or cases you want to prevent. Then you should be able to devise manual tests to try to identify shortfalls.