Michael Howard, co-author of Writing Secure Code*, has an excellent blog post on how static code analysis tools are only one weapon in your arsenal when writing secure code. I would highly recommend reading it. A quick summary… Unless you understand the threats, know how to architect secure applications, know how to write secure code, know how to test for security vulnerabilities, and then backstop it all with a static analysis tool, you’re doomed to write insecure code.


* Fantastic book. Everyone developing software, whether on the Microsoft platform or not, should read this book.