Where to start with security testing?

I'd recommend to hire someone (or some developer could do that) to educate the QA team using OWASP Top 10 or WASC TC. If you want step-by-step guide how security testing should look like, you can use OWASP Testing Guide, which will give you pretty good picture.


To add to ewanm89's answer, a general approach to penetration testing is done by dividing the test up in different phases:

  • Planning
  • Discovery / Information Gathering
  • Attack
  • Reporting

Planning

During the planning phase, you typically set the scope of attack (What systems and what parts of it to test)

Discovery / Information Gathering

Host discovery, service discovery, network topology mapping, finding http/html form fields that can tested further. What information you need to gather is depending on what kind of security test you are going to perform.

Attack

Probing for vulnerabilities on the services you dicovered in the previous phase. As you most likely will find new and more relevant information during the attack phase, you will move between the discovery and attack phase. I.e. backend sql server behind the web server.

Reporting

In this section you report your findings. The final report typically have the following sections:

  • Executive Summary
  • Detailed Findings
  • Risk levels of vulnerabilities found
  • Business Impact
  • Recommendations
  • Conclusion

The following link describe this approach with details: Pentest phases


You could do a lot worse than starting with the Open Source Security Testing Manual (it's the manual which is open source not the target).

Looking at your current list, code (particularly, but not exclusively SQL) injection should be way up on your list.

If it's a web-based application then you should be looking at session fixation / hijacking, XSS. Do check out arachni.

If you're going to be addressing DDOS, then have a look at sloloris and throttled response strangling.

Getting people to think like an attacker is tricky (and questionable for its benefits - an attacker only needs one weakness, a defender has to cover them all). Maybe give them some honeypots to hone their skills on?