How does one rigorously test a site for both security and speed?
What are the ways and tools for that?
Can we mimic hundreds of virtual users visiting the site to see its load handling?
If this is just supposed to be a Stress Test, try http://freshmeat.net/projects/siege/
Siege is a regression test and benchmark utility. It can stress test a single URL with a user defined number of simulated users, or it can read many URLs into memory and stress them simultaneously. The program reports the total number of hits recorded, bytes transferred, response time, concurrency, and return status. Siege supports HTTP/1.0 and 1.1 protocols, GET and POST directives, cookies, transaction logging, and basic authentication. Its features are configurable on a per user basis.
ab is a tool for benchmarking the performance of your Apache HyperText Transfer Protocol (HTTP) server. It does this by giving you an indication of how many requests per second your Apache installation can serve.
For security tests, I strongly suggest to buy an audit and leave that to dedicated experts. There is just too many possible attack vectors that go beyond your app code.