Here is the matrix presented by Jacob West and Alexander Hoole from HP Fortify at RSA 2012. They look at security bugs along 2 different dimensions:
|Explicit in Code||Implied in Code|
|Generic||50% – Can be found by static analysis tools||Can be found in pen testing or expert reviews|
|Application-Specific||Need to understand application patterns and requirements – custom rules and manual reviews||Probably can’t be found|
These guys are in the business of finding bugs with tools. So we forgive them their optimistic estimates. But even they have to admit we can not find everything with tools. And even with expert reviews, there still remains something that is not easily discoverable…
These problems are not easy and they require actual understanding of both software design and security of software. So if you use unskilled development force in your software house, be prepared that half of the security problems will not be possible to discover, whatever tools you use.