(from Software Quality book)
If you don't have a big list of security issues or need exploits, then one option is to hire a security company for forty to sixty days, and let them review your applications across the technology spectrum, and across the platform.
Their review shouldn't be limited to pen tests. The must perform an AppSec review where they will sit with the developers and basically hack anything that moves in that project (and even organisation). This allows them to produce case studies for you, and give you an idea of the risks. It is essentially a massive security test, across the board, that allows you to really understand what is going on within the company.
A second option is to hire the security consultants individually, although that might be harder initially. The size of your company could cause a problem in this scenario if it is so big that it uses a range of different technologies. In such a case you will struggle to hire somebody who understands all those different technologies.
A third option is to hire specific individuals from a specific consulting company. This means that not only do you have a much better talent pool to pick from, but you also have more continuity and consistency in the work they do for your company.
