Abstract
Software security testing tools and methodologies are presently abundant, and the question no longer seems to be ``if to test'' for security, but rather ``where and when to test'' and ``then what?''. In this paper we present a review of security testing literature, and propose a software security testing scheme that exploits an intra-organisational repository of discovered vulnerabilities that closes the loop after the testing of one application is complete, providing useful input to the next application to be tested.