The framework you use is irrelevant. There are a great deal of avenues. It is your responsibility as a developer to decide which one to use.
Your first step is to evaluate your code. There are many options available.
PHPCodeSniffer, configured to use PSR-0, PSR-1 & PSR-2 as the default rule sets.
PHP Mess Detector - Looks for algorithmic over-engineering and other nonsense.
A static analysis tool that runs as a web app.
Webgrind is a Xdebug profiling web frontend in PHP5.
Now, as for security, the only real way to do this is via a Penetration Test
. Basically, you want to simulate an attack on your app and see how it holds up. There are a number of options:
Skipfish - It'll crawl your site to build a sitemap & then blast it.
Mantra - In my opinion, the holy grail of browser based security testing. Its basically Firefox with a slew of tools.
OWASP ZAP - A proxy that does your typical intrusion & attacks.
Hope this helps.