The Joomla! framework allows easily adding 3rd party extensions which can be vulnerable. These extensions aren't isolated from the rest of the framework, so any compromise there owns the entire framework. 3rd party extensions should be avoided, especially because most of them have been unsupported since Joomla! 1.5 was EOL. HUBzero 1.2 relies on Joomla! 2.5, which will likely be EOLed in December 2014. At that time 3rd party extensions will also likely stop being supported. Note that this is not an endorsement for the installation of 3rd party extensions until Joomla! 2.5 is EOLed.
A web application scanner will look for typical mistakes made in PHP applications: XSS, CSRF and SQL injections, and more. We use AppScan, but many free application scanners are available. You should scan any component you code yourself, or 3rd party component, that is not part of the HUBzero release. Also, if you modify a component in a HUBzero release, you should scan it for vulnerabilities the change may have introduced. If you find a vulnerability in the HUBzero release itself, please file a ticket at hubzero.org!