I’ve been collecting some list of security source code assessment tools which are built to analyze your codes (C/C++,Java,.NET,PHP,and others) . Hope this list below will help you to choose the best security source code assessment tool for you :

Pmd
URL: http://sourceforge.net/projects/pmd
Java-based static analysis tool
Intended to find correctness and complexity issues, also finds some security issues

Findbugs URL: http://findbugs.sourceforge.net/
Java-based static analysis tool
Intended to find correctnessissues, also identifies some security issues
JeSS: http://sourceforge.net/project/showfiles.php?group_id=141386
JeSS is a plugin for the Eclipse IDE. It is a static security scanner for Java source code. The plugin creates an AST for the source code and then uses the visitor pattern to find patterns in the AST that could be possible security bugs.

milk: http://milk.sourceforge.net/
Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse

BogoSec : Source Code Security Quality Metric http://bogosec.sourceforge.net/
BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.
Users also can benefit by using BogoSec in another way; comparing different available packages or consecutive releases of a package and identifying trends in the security level will enable users to make more educated software choices.

BogoSec is a pluggable flexible framework.
It currently has plugins to support the following three scanners:

Flawfinder http://www.dwheeler.com/flawfinder/
RATS http://www.securesw.com/rats/
ITS4 http://www.cigital.com/its4/

Hammurapi
URL: http://www.hammurapi.org/

There are a lot of tools for code analysis, not only java and .net, but also asp, php, c and so on. Enjoy it : http://www.nosec.org/web/index.php?q=codereview

(SWAAT), you can download it from our site. http://securitycompass.com/inner_swaat.shtml

There’s some good material from the speaker at the last OWASP-Austin (TX) meeting. He has links to open source Java and .Net static analysis tools. The presentation also includes some general info on static vs dynamic analysis: http://denimgroup.typepad.com/denim_group/2008/03/static-analysis.html

From this presentation:

• FindBugs (Java) findbugs.sourceforge.net

• PMD (Java) pmd.sourceforge.net

• FxCop(.NET) www.gotdotnet.com/Team/FxCop/
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines.
http://www.microsoft.com/downloads/details.aspx?familyid=3389F7E4-0E55-4A4D-BC74-4AEABB17997B&displaylang=en

• XSSDetect (.NET) blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx

Commercial Products:

I got a few recommendations for Fortify http://www.fortifysoftware.com
I got a couple of recommendations for XSS Detect for .NET as well. This beta version appears free to download, at least for now.
XSSDetect http://www.microsoft.com/downloads/details.aspx?FamilyID=19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en

XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such “sanitized” paths.

Original source : webappsec mailing list