Slightly Off-Topic: Code Reviews
This chapter is about testing secure code, but testing does not and will not find all security bugs in any application. Another useful technique is to perform regular code reviews, which can often help you find bugs in rarely exercised code paths. If you re a tester who can read code, you should consider poring over new code that is, new since the last review looking for the issues discussed in this book.
Although not a replacement for formal code inspection, such as Fagan-style code inspection, you can get a lot of mileage out of searching the application code for the dangerous APIs described in Appendix A, Dangerous APIs, and verifying that the function calls are safe. Then review the code based on the contents of this book. For example, are sockets used well? Do the server Web pages correctly parse input? Are random numbers random? Are you using RC4 correctly? Do you store secrets securely? Do you have secrets embedded in code? And so on. In my experience, this small amount of work can help you find much of the low-hanging fruit.