Functionality testing does not test a products security. Even if a vulnerability is difficult to discover, someone will discover it given enough time. Various types of people test software security: security testers who work for software development companies, malicious users who hunt for security vulnerabilities so that they can commit crimes or spy, security consultants who are hired to break into a target, and hobbyists who do it for fun and profit.
Thorough security testing requires a deep understanding of how the tested functionality is implemented. The more information you have about how an application works, the more insight you will have in finding security vulnerabilities. Once you have a good understanding of how the tested functionality works, you need to think maliciously about how the functionality could be abused. Then you test your malicious ideas against the target. Throughout the process, it is important for you to stay up-to-date on the latest vulnerabilities and exploits by reading security mailing lists and/or attending security conferences because software security testing is a rapidly changing area.