Does my application need a security review

Yes

More specifically any new MediaWiki extension, or "service" needs review. Anything involving handling of sensitive data needs review. New libraries being added to MediaWiki need review.

Things that don't need review:
 * A new tool that is being developed at Toolforge (unless it is handling sensitive data. But sensitive data is not allowed to be handled at Toolforge)
 * Normal patches that aren't security sensitive (e.g. If you are rewriting the password system it needs review, but random patches don't)

However, even if your tool doesn't need review, the security team is happy to review it for you if you ask.