There are two code scanning tools that point you to security misconfigurations in your model (Omnext, by Omnext and ACR by Mansystems – both are paid solutions). These are currently the only two tools that point to specific flaws in your code.
For manual penetration testing, the only tool that pen testers from multiple vendors seem to use is BURP suite. Automated scanning tools won't find all problems in your app, so it's useful to have a professional test your application.
Finally, if you want to check your entity access settings, you can use the Security Inspector widget from the App Store.
To add to Rom’s answer you can find more details on ACR at the link
ACR is a model analysis tools which means it check your model for vulnerabilities. There is another tool called AMS (also by Mansystems) which even checks your running application.
Both are paid solutions as Rom already pointed out.
Hope this helps
I’m currently working on an automated scanning tool that helps identify sensitive data exposure in Mendix applications.
Feel free to contact me on linkedin/twitter (@xiwenc) if you’re interested to find out more. It’s currently in private beta. Hence there’s not much public information yet.