Recently I was asked by one of my clients to do a security review of some of their code. I'm no security expert (and stated this to them) but I was still requested to do this. Having gotten this task I decided to look for lots of sources to do with security. I ended up scratching my head and use the old method of "do what feels right" , that is, try to pretend I was a hacker and see if any of the code could be compromised (lots of web services, queues etc.)
I'm not sure I did a great job, but I learned a lot. If only I had access to this article I'd be more sure of that:
How To: Perform a Security Code Review for Managed Code (.NET Framework 2.0)
(via varad)