At my last LMAX company, we looked at security features such as any other and automatic acceptance tests for these features.
We wrote acceptance tests that interacted with the system through the same channels as any other user of the system, and proved that the security conditions of the system work properly.
Thus, one test will claim that if the login was successful, other functions of the system were available. Another would argue that if the login to the system was unsuccessful, you would not be able to access the protected functions - just really.
The trick is to have your acceptance tests interact with the system through the same communication channels as real users, or as close to them as possible, no special tricks or back doors to the main logic of the application - especially there are no tricks or back doors that allow bypass protective functions; -)
Logging into the system is a trivial example, but this approach is applicable to any security function at the user level - virtually any function.
Of course, there are other security classes that check for buffer overflows, SQL injection, and so on. Many of them relate to keeping your application secure - a clear separation of duties, such as overlaying your application.
You can also include tests for these classes of security requirements in your acceptance tests, if necessary for your application, or perhaps add an additional step in the deployment pipeline to run tests for these types of impacts. It depends on the nature of your application, I will probably add to the acceptance tests for most applications, and take a dedicated approach at the development stage for applications where I could auto-generate test files to make injections - for example, search for a web application for all fields input and attempts to insert garbage?